New EU regulations known as the General Data Protection Regulation (GPDR) will come into force on 25 May 2018. The GPDR places significant additional responsibilities, over and above those defined in the Data Protection Act 1998, on those who collect and process personal data to ensure that providers of personal data understand the lawful basis for the collection and processing of their data. The document which explains this basis is known as a ‘Privacy Notice’. The present document constitutes the Orwell Dance Privacy Notice.
What personal data does the School need to collect?
For each student of the school the name, date of birth, contact details (address, telephone and email), and medical information.
Who is collecting the data?
The data will be collected by the school principal.
How is the data collected?
Data is mainly collected by means of paper enrolment forms, although forms will now be completed via the online portal.
Why does the School need to collect this data?
Self-evidently, the school must know the names of students in order to communicate within the class, their ages, contact details (in order to communicate information about the school) and medical information (so that teachers are aware of any medical conditions which may affect the learning of dance and students wellbeing).
How will the data be used?
Data will be input to a class management software called ‘Class manager.’ This is used to generate class lists/registers and a summary of school fees for each student. It will also be used, in combination with information from class teachers, to aid management planning of lessons, exams and performances. Parents/Guardians will receive emails from this software as well as from the school mailing address.
To ensure the wellbeing of children during lesson and rehearsal times, the class teacher will have a hard copy of the child’s name, emergency contact (name and telephone number) and any medical conditions.
With whom will the data be shared?
The database itself is routinely accessible by the school principal, Mrs Marina O’Brien, although from time to time other teachers within the school may be given supervised access as and when required. None of the data will be placed online or shared with any outside agency or organisation. None of the data will be sold to or shared with any other organisation. The school does not receive commercial sponsorship.
Does anyone else associated with the school collect data?
The Royal Academy of Dance, the Imperial Society of Teachers of Dancing, and the British Federation of Festivals will require student details (names, dates of birth and gender) for exam and competition entries. These organisations have their own Data Protection Policies. Liberty School of Dance will require you to OPT-IN before any entry data is submitted on entry forms.
Can I see my data or ask for it to be deleted?
You have the right to see your personal data, and to ask for it to be deleted. A request to view your data is known as a ‘subject access request’. The school is legally obliged to respond to your request within 30 days.
How long will my data be kept?
Paper enrolment forms will normally be kept for approximately one month (until the information has been recorded electronically) and then destroyed either by shredding or burning. The school has no timescale for the erasing of electronically held data. These data form a historical record of the school and the aim is to preserve that record. The school has been running continuously since 2012 but the new software system on which information is stored has only been running since February 2019. We would therefore like to maintain a reasonable historical record from then on. If you would like your details erased from the historic record you should make a subject access request. Your data will then be anonymised in the database.
How secure is my data?
Electronic data is held in a password-protected database and a backup copy maintained. None of the data is accessible online. Paper documents (eg. enrolment forms) are kept in a private dwelling with normal domestic security measures in place before they are destroyed; the school will take reasonable measures to ensure that the paper data is not lost or stolen or viewed by unauthorised persons but does not guarantee to store it under lock and key. Email communications are not subject to special encryption measures. The GDPR mandates procedures which must be followed for reporting a breach or suspected breach of data security.
How will the new measures affect the registration process in future years?
You will need to tick a lot more boxes in future to make it clear that you understand data collection issues and have ‘opted in’. A requirement of the GPDR is that providers of personal data must positively ‘opt-in’ to having their data collected; it is no longer permissible to assume that ‘silence gives consent’.