Privacy Policy
Skill Supply
Data Protection Policy
At Skill Supply Ltd. (the Data Controller) we respect the privacy of the individuals, the children, their parents or carers, the staff of the establishments we work in, as well as the privacy of our staff. Our aim is to ensure that all those using and working with Skill Supply can do so with confidence that their personal data is being kept secure.
Our lead person for data protection is Elizabeth Surry. The lead person ensures that Skill Supply meets the requirements of the General Data Protection Regulations GDPR, liaises with statutory bodies when necessary, and responds to any subject access requests.
Confidentiality
Within Skill Supply we respect confidentiality in the following ways:
· We hold only the information necessary to provide a safe service for everyone.
· We will only ever share information with a parent about their own child.
· Information given by individuals, parents or carers to Skill Supply will not be passed on to third parties without permission unless there is a safeguarding issue (as covered in our Safeguarding Policy), or we are required to by law (e.g. HMRC, PHE)
· Concerns or evidence relating to a child’s safety, will be kept in a confidential file and will not be shared within the Club, except with the designated Safeguarding Lead and the manager.
· Staff only discuss individuals for purposes of planning and group management.
· Staff only discuss individuals medical or disability needs for purposes of safety and inclusion within a setting.
· Staff are made aware of the importance of confidentiality during their induction process.
· Issues relating to the employment of staff, whether paid or voluntary, will remain confidential to those making personnel decisions.
· All personal data is stored securely on a password protected computer, a passcode-locked phone or in a lockable file (if printed).
· Students on work placements and volunteers are informed of our Data Protection policy and are required to respect it.
Information that we keep
The items of personal data that we keep about individuals are documented on our personal data matrix. The personal data matrix is reviewed annually to ensure that any new data types are included.
Educational Organisations (e.g. Schools, Colleges and Universities) and Business Customers
We collect data on our business customers to allow us to deliver on the work we have been contracted to do. So, we collect, names, addresses, emails and location details. It is a requirement that we communicate regularly with our customers so that we can fulfil their requirements. Statements of work, photos release forms, and reports after the activities are sent on the basis of Contractual Obligation and Legitimate Business interests. We also invoice and chase invoices on the grounds of legitimate interest.
With our educational and business customers we mail and email them on the basis of legitimate business interest. Because they’re customers, and have been presented with the opportunity to opt out, on every communication, and when the data was collected, we do this under Privacy and Electronic Communications Regulations (PECR) soft opt in.
Communications to educational and business customers therefore include
1) Communications throughout the sale, email, letter and phone calls, all required to sell the product
2) Monthly email newsletter to customers, informing them of developments in the market
Educational Organisations and Business Prospecting
We source contact details from websites, contacts, and networking opportunities, on both organisations and individuals within them to prospect to them via direct mail, email newsletters and phone calls. We communicate with them on the grounds of legitimate business interest, it is in our interest to develop relationships with this audience to sell them our product in the future. They have the opportunity to opt out, and opt in.
Individual Customers (including those booking for their own children)
We hold only the information necessary to provide a safe service for everyone. This includes registration information, medical information, parent contact information (if necessary), attendance records, incident and accident records and so forth. Once individuals leave our care we retain only the data required by statutory legislation and industry best practice, and for the prescribed periods of time. Electronic data that is no longer required is deleted and paper records are disposed of securely.
Photographs will be taken of individuals that give us permission and those children whose parents give us permission to do so. They will only be used in accordance with the level of permissions indicated on the booking form for the activity. Any other photographs that do not have permission will be deleted. Photographs will be kept for the lengths of time indicated on our personal data matrix.
When booking with us individual customers have the option to opt in to our email newsletter. We also have an opt-in form on our website. We keep records of all individuals who opt-in and any of those who subsequently opt-out, we keep their names (only) on file to ensure we no longer send them emails.
School children, adults and staff where we work in their establishment:
We do not keep any information about individual children or staff (at a school or establishment), unless there is a legitimate reason to do so, such as incident and accident records. Contact details of the staff we have liaised with to book the workshop, course or event will be kept on file to maintain our service to them and communicate with them effectively as a customer of Skill Supply Ltd.
Contact details of adults that have undertaken our workshops on courses contact details will be kept on file maintain our service to them and communicate with them effectively as a customer of Skill Supply Ltd.
Photographs of children in schools, will be taken where permission has been given to the school by the parent. Permission will be sought from the Head teacher or responsible teacher in the form of a photo release form that they can opt in to. Photographs will only be taken where we have prior permission to do so in writing. We will trust the school to gain permission for photo use from parents and then convey this permission to us (or not) on the photo release form.
Photographs will be used in a report to be submitted to the schools for their use, in line with their own data privacy policies. Photographs will not be used on our social media, website or printed material if we do not have permission from the school to be able to do this.
Where Individual photographs that are to be used in the press, we will gain individual consent from the parent(s) of the child concerned, either directly or via the school.
Any photos that do not have permission from a school will be deleted.
Skill Supply Staff & volunteers:
We keep information about employees to meet HMRC requirements, and to comply with all other areas of employment legislation. We retain the information after a member of staff has left our employment for the recommended period of time, then it is deleted or destroyed as necessary. We recruit and retain staff using our Safer Recruitment and Safeguarding policies and any information will be gained in accordance with this.
Data Security
Data is stored in the most secure way that we can, which allows us to deliver on the contracts.
All pcs are password protected and files within the pc that contain sensitive data are encrypted. Backups are stored on the cloud using OneDrive (Microsoft).
We use secure, wired transfer to move customer data and images from phone/camera to PC. Online storage – we use Google Drive and OneDrive to store and transfer some data, with secure links to people on the above data processor list.
Emails are sent through G-Suite and Active Campaign and our booking system, Clubsbuddy, WooComerce and Learndash. Our accounting software, and our Customer relationship manager (CRM) Active Campaign are all password protected and have restricted staff use. Our due diligence shows these organisations adhere to the standards required by GDPR (see appendix).
PC’s are protected by a rigid password policy and all company phones have pin numbers and or fingerprint / face recognition and are connected via find my phone, allowing the data on them to be cleansed. All lap tops are password protected and not left unsecured.
Any data on paper is kept in a locked storage cabinet behind a locked door at our office registered address. Any data in transit is kept with us in folders with staff access only and returned to locked storage or disposed of by shredding when no longer required.
Sharing information with third parties
We will only share information with outside agencies on a need-to-know basis and with consent from individuals or parents of (if under 16), except in cases relating to safeguarding children, public health issues, criminal activity, or if required by legally authorised bodies (e.g. Police, HMRC, etc). If we decide to share information without parental consent, we will record this in the child’s file, clearly stating our reasons.
We will only share relevant information that is accurate and up to date. Our primary commitment is to the safety and well-being of the individuals in our care.
Where we share relevant information where there are safeguarding concerns, we will do so in line with Government guidance ‘Information Sharing Advice for Safeguarding Practitioners’ (www.gov.uk)
Some limited personal information is disclosed to authorised third parties we have engaged to process it, as part of the normal running of our business, for example in order to take online bookings, and to manage our payroll and accounts. Any such third parties should comply with the strict data protection regulations of the GDPR through their own policies and procedures.
Your rights
Subject access requests
· Parents/carers can ask to see the information and records relating to their child, and/or any information that we keep about themselves.
· Course participants organisers, staff and volunteers can ask to see any information that we keep about them.
· We will make the requested information available as soon as practicable and will respond to the request within one month at the latest.
· If our information is found to be incorrect or out of date, we will update it promptly. Parents /carers can ask us to delete data, but this may mean that we can no longer provide care to the child as we have a legal obligation to keep certain data.
· Course participants may ask us to delete data, but this may mean we can no longer accommodate them on a course as we have a legal obligation to keep certain data.
· In addition, even after a child has left our care, we must keep some data for specific periods so won’t be able to delete all data immediately.
· Staff and volunteers can ask us to delete their data, but this may mean that we can no longer employ them as we have a legal obligation to keep certain data. In addition, even after a staff member has left our employment, we have to keep some data for specific periods so won’t be able to delete all data immediately.
· If any individual about whom we hold data has a complaint about how we have kept their information secure, or how we have responded to a subject access request, they may complain to the Information Commissioner’s Office (ICO).
GDPR
We comply with the requirements of the General Data Protection Regulation (GDPR), regarding obtaining, storing and using personal data.
Monitoring and review of this policy
Our lead person for data protection is Elizabeth Surry. The lead person ensures that Skill Supply meets the requirements of the GDPR, liaises with statutory bodies when necessary, and responds to any subject access requests. The director, Elizabeth Surry, shall be responsible for reviewing this policy annually to ensure that it meets legal requirements and reflects best practice.
This policy has been written* by Elizabeth Surry on behalf of Skill Supply Ltd. (including Skill Clubs). Any questions or problems should be emailed to contact@skillsupply.co.uk
Updated and reviewed here 18th January 2022
*Written in accordance with the Statutory Framework for the Early Years Foundation Stage (2021): Safeguarding and Welfare Requirements: Information and records [3.67 -3.72]. and the requirements of the General Data Protection Regulation (GDPR).