Active Life recognises and accepts its responsibilities as set out in the Data Protection Act 1998 and the General Data Protection Regulations 2018, (GDPR). As Data Controller, Active Life will take all reasonable steps to meet these responsibilities and to promote good practice in the handling and use of personal information. In particular Active Life will comply with the Data Protection Principles set out in all current legislation.
This policy statement applies to all customers, employees, trustees and individuals about whom Active Life processes personal information, as well as other partners and companies with which Active Life undertakes it business.
Active Life needs to collect and use certain types of personal information about people with whom it deals in order to operate. These include current, past and prospective customers, employees, trustees, suppliers, partner organisations, and others with whom it communicates. In addition, it may be required by law to collect and use certain types of information to comply with the requirements of government departments. This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the GDPR.
We regard the lawful and correct treatment of personal information by Active Life as very important in order to secure the successful conduct of operations and the delivery of our services, and to maintain the confidence of those with whom we deal. Active Life therefore aims to ensure that it treats personal information lawfully, correctly and in compliance with all current legislation.
To this end, we fully endorse the obligations of the Act and adhere to the Principles of data protection, as enumerated in the GDPR.
- This policy is intended to provide information about how Active Life will use (or “process”) personal data about individuals.
- It applies in addition to Active Life’s terms and conditions, and any other information Active Life may provide about a particular use of personal data.
- Anyone who works for, or acts on behalf of Active Life (including staff, volunteers, trustees and service providers) should also be aware of and comply with Active Life’s data protection policy for staff, which also provides further information about how personal data about those individuals will be used.
RESPONSIBILITY FOR DATA PROTECTION
- Active Life will endeavour to ensure that all personal data is processed in compliance with this policy and the GDPR.
- Active Life has appointed a Data Protection Officer to ensure that all personal data is processed in compliance with this policy and the requirements of the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed, should be referred in the first instance to the Data Protection Officer.
TYPES OF PERSONAL DATA PROCESSED BY ACTIVE LIFE
- Active Life may process a wide range of personal data about individuals including current, past and prospective customers as part of its operation, including by way of example:
- names, addresses, telephone numbers, e-mail addresses and other contact details;
- bank details and other financial information;
- past and present admissions and attendance records;
- where appropriate, information about individuals’ health, and contact details for their next of kin;
- references given or received by Active Life about employees and trustees;
- images of customers (and occasionally other individuals) engaging in Active Life’s activities;
- Generally, Active Life receives personal data from the individual directly (or, in the case of children, from parents), however, in some cases personal data may be supplied by third parties (for example the NHS for exercise referral clients).
- Active Life may, from time to time, need to process “sensitive personal data” regarding individuals. Sensitive personal data includes information about an individual’s physical or mental health, race or ethnic origin, or criminal records and proceedings. Sensitive personal data is entitled to special protection under the GDPR, and will only be processed by Active Life with the explicit consent of the appropriate individual, or as otherwise permitted by the GDPR.
USE OF PERSONAL DATA BY ACTIVE LIFE
- Active Life will use (and where appropriate share with third parties) personal data about individuals for a number of purposes as part of its operations, including as follows:
- For the purposes of administering various membership schemes and bookings facilities;
- To provide events in conjunction with partner organisations;
- For the purposes of management planning and forecasting, research and statistical analysis, and to enable the relevant authorities to monitor Active Life’s performance;
- To give and receive information and references about past and current employees and trustees;
- To safeguard customers and employee welfare and provide appropriate pastoral (and where necessary, medical) care, and to take appropriate action in the event of an emergency or accident, including by disclosing details of an individual’s medical condition where it is in the individual’s interests to do so, for example for medical advice, insurance purposes or to organisers of events;
- To make use of photographic images of customers in Active Life publications, promotions, website, social media channels in accordance with Active Life’s policy on taking, storing and using images;
- For security purposes, and for regulatory and legal purposes (for example child protection and health and safety) and to comply with its legal obligations; and
- Where otherwise reasonably necessary for Active Life’s purposes, including to obtain appropriate professional advice and insurance for Active Life
RIGHTS OF ACCESS TO PERSONAL DATA (“subject access request”)
- Individuals have the right under the GDPR to access to personal data about them held by Active Life, subject to certain exemptions and limitations set out in the GDPR. Any individuals wishing to access their personal data should put their request in writing to Active Life.
- Active Life will endeavour to respond to any such written requests (known as “subject access requests”) as soon as is reasonably practicable and in any event within statutory time-limits. Active Life may charge an administration fee of up to £10 for providing this information.
- Certain data is exempt from the right of access under the GDPR. This may include information which identifies other individuals, or information which is subject to legal professional privilege. Active Life is also not required to disclose any reference given by Active Life for the purposes of the education, training or employment of any individual.
- A person with parental responsibility will generally be expected to make a subject access request on behalf of children. A child of any age may ask a parent or other representative to make a subject access request on their behalf.
DATA ACCURACY AND SECURITY
- Active Life will endeavour to ensure that all personal data held in relation to an individual is as up-to-date and accurate as possible. Individuals must notify Active Life of any changes to information held about them.
- Individuals have the right to request that inaccurate information about them be erased or corrected (subject to certain exemptions and limitations under the GDPR) and may do so by contacting Active Life in writing.
- Active Life will take appropriate technical and organisational steps to ensure the security of personal data about individuals. All staff will be made aware of this policy and their duties under the GDPR.
- Any comments or queries on this policy should be directed to the Data Protection Officer, firstname.lastname@example.org.