LAR Performing Arts GDPR Policy
GDPR stands for General Data Protection Regulation and replaces the previous Data Protection. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. LAR Performing Arts is committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data. The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
GDPR includes 7 rights for individuals
1) The right to be informed
LAR Performing Arts is a registered LAMDA Exam Centre and so, is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses. We need to know children’s’ full names, addresses, date of birth and Education school, along with any SEN requirements.
We are required to collect certain details of visitors to LAR Performing Arts. We need to know visitors names, telephone numbers, and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies.
As contractor of self-employed people, LAR Performing Arts is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK.
This is required for processing of DBS checks. DBS Numbers and date of issue are also held on a central staffing record.
2) The right of access
At any point an individual can make a request relating to their data and LAR Performing Arts will need to provide a response (within 1 month). LAR Performing Arts can refuse a request, if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision.
3) The right to erasure
You have the right to request the deletion of your data where there is no compelling reason for its continued use. However LAR Performing Arts has a legal duty to keep children’s and parents details for a reasonable time*, LAR Performing Arts retain these records for 3 years after leaving school, children's accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member of leaves employment, before they can be erased. This data is archived securely onsite and shredded after the legal retention period.
4) The right to restrict processing
Parents, visitors and staff can object to LAR Performing Arts processing their data. This means that records can be stored but must not be used in any way, for example examination applications, reports or for communications.
5) The right to data portability
LAR Performing Arts requires data to be transferred from one IT system to another; such as from LAR Performing Arts to LAMDA for examinations. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR.
6) The right to object
Parents, visitors and staff can object to their data being used for certain activities like marketing or research.
7) The right not to be subject to automated decision-making including profiling.
Automated decisions and profiling are used for marketing based organisations. LAR Performing Arts does not use personal data for such purposes.
Storage and use of personal information
We do not have paper copies of children or staff records. All information is collected via Acuity when booking a class. Only the Principal (Louisa Alice-Rose) can view the entirety of this information. Individual Teachers can view the names, medical conditions and emergency contact details of those attending their Class/es. If a child no longer attends a class at LAR, this information is deleted after a retention period. There is an opt out option for our Mailing List.
LAR Performing Arts stores personal data held visually in photographs or video clips or as sound recordings, No full names are stored with images in photo albums, displays, on the website or on LAR Performing Arts social media sites. Access to all Office computers is password protected. When a member of staff leaves the company these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked office and within this office a locked filing cabinet.
GDPR means that LAR Performing Arts must; * Manage and process personal data properly * Protect the individual’s rights to privacy * Provide an individual with access to all personal information held on them.
This Policy was adapted at a meeting at LAR Performing Arts in August 2018
Policy review date: August 2019