Contents
Mobile and Removable Storage Devices.
Definitions
“CMA Franchises” means the Chuldow Martial Arts Academy Franchises, including anyone employed by or authorised to act on their behalf.
“Cobra” means Cobra Martial Arts Association, including anyone employed by or authorised to act on its behalf.
“Contact Information” means email address, postal address, telephone numbers, social media or instant messaging IDs (or similar), or any other piece of information which would facilitate contact with the customer.
“Customer” means someone who has engaged with CMA HQ in some way, such as a Member, ex-Member, or Enquiry.
“Data Protection Officer” means the person responsible for ensuring that CMA HQ conforms to UK data protection legislation, currently Simon East of CMA HQ.
“Enquiry” means someone who is potentially a Free Trial Student, or has the permission/authority to act on their behalf, who has made a request for CMA HQ to contact them.
“ex-Member” means someone who has previously been a Member, and has either terminated or had their Membership terminated.
“Free Trial” means the period of time for which the person is a Free Trial Student of CMA HQ.
“Free Trial Student” means someone who has attended a class at CMA HQ on a free trial basis but has not yet become a Member.
“Member” means someone who has an active agreement with CMA HQ for payment and/or attending classes, or other similar agreement.
“Membership” means the period of time for which the person is a Member of CMA HQ.
“NEST” means National Education System for Training, registered as Nest Management Limited.
“Personal Information” means any information that is not Contact Information but directly relates to an individual; including but not limited to, date of birth and medical information.
“Products” means any CMA branded product, including but not limited to sparring equipment, uniform, belts, and sporting equipment.
“Third Party” means CMA HQ, Cobra or NEST.
“Third Party System” means a system used and/or owned by CMA Franchises, Cobra or NEST.
“Services” means both contact and non-contract martial arts training.
“Staff” means voluntary and non-voluntary individuals, working on behalf of CMA HQ, including but not limited to assistants to the Instructor, Certified Instructors, and support staff, such as the Welfare Officer.
“Chief Instructor(s)” means those people principally responsible for the martial arts disciplines taught by CMA HQ.
“Academy”, “We”, “Our”, or “Us” means Chuldow Martial Arts (“CMA”) HQ.
Policy Statement
We take our customers’ privacy seriously and will only use personal information to provide the products and services that we have been requested to provide. The purpose of this policy is to explain:
- How data is obtained;
- Why data is obtained;
- Where it is stored;
- How it is used;
- Who has access to the data;
- When and why data is shared with a third party;
- When it is used; and,
- When and how it is destroyed.
Under the General Data Protection Regulations there are 6 lawful bases for processing personal and sensitive personal data. These are:
- Consent;
- Contract
- Legal obligation;
- Vital interests;
- Public task; and,
- Legitimate interests.
The lawful basis for processing will differ dependent on the type of data. Therefore, within the type of data defined within this policy, there will be a confirmation of the basis upon which we are processing it.
Any situations or considerations not expressly afforded for by this policy will be at the discretion of the Data Protection Officer to appropriately respond to.
Information Stored
Most data is collected at two points during the customer’s engagement with us: during the Free Trial, and during enrolment. Examples of such data include, but are not limited to:
- Medical information relating to the Member/Free Trial Student;
- Personal contact information;
- Contact information for the Member/Free Trial Student’s next of kin or another emergency contact (whichever the signee of the Student Analysis form provides);
- The bank details of the person paying the Member’s tuition; and,
- Any other personal data required to either ensure the Member/Free Trial Student’s safety, and/or so that they are licenced and insured to practice martial arts with CMA HQ.
We store the following information for ex-Members for 12-months following the date of termination:
- Full-name;
- Date of birth (for identification purposes in case we have two individuals with the same name);
- Belt ranking; and,
- Graduation history.
This is so that if the ex-Member decides to return to CMA HQ, they have the opportunity to resume their training where they left off rather than having to start from the beginning of the belt system.
Medical Information
We require pertinent medical information from all Members before they can join in with any classes, which is why we ask all Free Trial Students to complete a Health Questionnaire prior to partaking in the class. Our reason for processing medical information is on the basis of legitimate interest; we need to ensure that all staff responsible for the safety, first aid and/or management of exercise for the Member/Free Trial Student can be made aware or can gain access to this information.
It is the responsibility of the Member/Free Trial student, or their Parent/Guardian, to inform CMA HQ of any changes to the Member/Free Trial Student’s health which could have an impact on the activities they participate in during a class prior to such activities taking place.
Should an issue arise whereby a Free Trial Student, Member, ex-Member or a Parent/Guardian of one of these individuals, presents a legal challenge to CMA HQ due to an injury or other issue where the medical information provided or not provided is relevant this information must be available.
This includes but is not limited to digital or paper copies of the Member/Free Trial Student’s medical forms, accident books and any letters, emails or other communications relevant to the Member/Free Trial Student’s medical issues.
So that we can adequately defend ourselves against any such legal challenge, copies of all Health Questionnaires completed by a Member/Free Trial Student, or their Parent/Guardian, that declare no medical conditions which have the potential to affect the individual’s ability to participate in any CMA class/event will be stored for a period of 3 years after the termination of their Membership/Free Trial. After such time, they will be permanently destroyed.
Where any Health Questionnaire completed for a Member/Free Trial Student declares a medical condition, CMA HQ will retain copies of all Health Questionnaires completed for the Member/Free Trial Student for 10 years after the termination of their Membership/Free Trial. After such time, they will be permanently destroyed.
Contact Information
Contact information is relevant to three main categories of customer, plus staff members/volunteers:
- Enquiries
- Members
- Ex-Members
Our reason for processing contact information is on the basis of legitimate interest; we need to be able to contact Enquires and Free Trial Students to discuss their interest in our services, and we need to be able to contact Members, or their Parent/Guardians, about matters that have an impact on the services they use, or our modus operandi.
If a customer or staff member ‘joins’ a social media group created or managed by CMA HQ, CMA HQ will have access to data that is provided. It is the customers responsibility to leave such a group, and CMA HQ accepts no responsibility or liability for any information provided by the customer directly to a third-party provider.
The process for dealing with, and timescales for keeping this information are as follows:
Enquiries
CMA HQ will attempt to contact an Enquiry for three weeks after receiving the request. Once this period has elapsed the lead is regarded as ‘dead’ and further attempts will not be made.
Should contact be made with the Enquiry then it is regarded as ‘live’ and the timescales applicable are managed dependent on the nature of the communication.
CMA HQ will record the date that contact is made (i.e. the initial contact request) and update this each time an Enquiry responds to or initiates contact with CMA HQ as below:
- Where the Enquiry requests some time before a subsequent contact, the Enquiry is diarised for the requested date/after the requested time period and the three-week time period starts again from this date;
- When follow-up contact is made with the Enquiry, the three weeks timer starts again from this date unless:
- The Enquiry states that they no longer wish to be contacted in which case the Enquiry is regarded as dead immediately; or,
- The Enquiry books an appointment with CMA HQ. In which case the date of the Appointment becomes the new date from which to count.
Free Trial Students
Where an Enquiry attends an appointment with CMA HQ, they are regarded as a Free Trial Student. Where a Free Trial Student completes their Free Trial with CMA HQ and becomes a Member, their information is dealt with in accordance with the ‘Member’ section of this policy.
Where the Free Trial Student either does not complete their Free Trial, or does not become a Member of CMA HQ, their information is dealt with as outlined in the following scenarios:
- The Free Trial Student attends and books a second appointment. The new appointment date becomes the date from which to start the three-week contact rule;
- The Free Trial Student attends but fails to book a second appointment. The three-week contact rule starts from the date of last appointment they attended and they are then handled using the same rules as an Enquiry as above in regards to subsequent contact;
- The customer enrols with CMA HQ in which case they are now a Member and are dealt with as such.
If at any point the Enquiry or Free Trial Student informs us that they no longer wish to be contacted by CMA HQ, they are immediately regarded as ‘dead’.
Once an Enquiry or Free Trial Student is regarded as ‘dead’ the information provided is kept for one week to allow for the Enquiry or Free Trial Student to respond to our final attempt to contact them or for us to correct an Enquiry or Free Trial Student marked ‘dead’ in error. After this timeframe the data is anonymised. This involves deletion of name, telephone, postal and email address, and any other identifiable information, leaving only statistically relevant information such the source of the Enquiry, age of potential Member and the class(es) they were interested in.
Members
Contact information is required for all Members and is kept for the duration of their Membership. This is necessary to ensure we can contact them in case of closure, change of class times, payment issues or other service related matters. We do not send marketing messages via text, telephone, email or post.
Marketing is dealt with through member groups such as Facebook or Mobilize Groups where the customer opts in by joining the Group and contact information is provided directly to the service provider. We do not sign customers up these services or provide our customer information to them, nor is joining a requirement for the Member or their Parent/Guardian.
We keep contact information for the duration of the Membership. Upon termination of their Membership, the Member becomes an ex-Member for the purposes of this policy.
Ex-Members
Contact information is kept on file for ex-Members for a period of three months. This is to allow for the Member to return or for us to contact them regarding matters relevant to the termination of their Membership, and other matters deemed important to the individual. After this time contact information is removed from the Member’s record and all copies, both physical and digital, are permanently destroyed.
Staff/Volunteers
Staff members and volunteers will have information stored following the same guidelines as customers.
Certain staff members are required to undergo DBS checks. Copies of the results of DBS checks may be shared with Chuldow HQ and Cobra for the purposes of maintaining their insurance and eligibility to be in contact with children and vulnerable adults. See ‘Other Information’ for further details of how we process information from DBS Certificates.
Financial Information
Financial information is considered to be sort codes, account numbers and credit card numbers. This information will be stored as follows:
- Credit card numbers will not be stored at all. Credit card receipts are kept however these are redacted at source (i.e. the receipt only shows that last four digits of the card number);
- Sort codes and account numbers are only taken with regards to Direct Debit mandates or to initiate payments (e.g. refunds) to the customer via bank to bank transfer;
- Direct Debit Mandates will be stored for seven months after the date of the member becoming an ex-member or changing to an alternative form of payment. This is due to the limitation on Direct Debit Indemnity claims being six months from the date of a payment. Should this time limit change in the future then the time period used by CMA HQ will reflect this – we will retain records for one month longer than the Indemnity Limit;
- Payment information for bank transfers will be deleted immediately following a successful payment to the customer unless there is already a need to pay the customer an agreed future payment.
Our reason for processing financial information is on the basis of contract; we need to be able to process your payment details so that we can provide us with the services and products you have requested of us.
Other Information
Other information which is stored and processed by CMA HQ includes:
- National Education System for Training (NEST) membership number: this number is generated by NEST. This number will be treated as contact information as it links to the contact information provided by the customer to NEST whilst they are an Enquiry or enrolling as a Member;
- Cobra Martial Arts Association (Cobra) number: this number links to the members licence and insurance record with Cobra. It will be kept on file for all current Members. It will be stored for ex-Members until one month after the licence has expired and then deleted. This is to allow for renewal should the ex-Member return in a reasonable time frame.
- Details of the expiry of any first aid qualifications for Members so we can prompt them of its renewal. This information is not regarded as Personal Information as it is purely a date and not identifiable to an individual. This information will be dealt with in the same manner as contact information for ex-Members following the termination of the Membership.
- Disclose and Barring Service (DBS) certificates: originals or copies of DBS certificates will not be stored without the consent the data subject. Whilst they are a Member, we will retain a note of the SCR number, the date the DBS was checked, and who checked it and approved the check. Upon termination of the Membership, this information will be treated in the same manner as contact information for ex-Members.
Any other information will be assessed to see if it falls under the requirements of data protection legislation and, if it does, will only be kept whilst there is a legitimate need to do so. This document will be updated or appended to include any such information.
Information Access
Information will be made available only to those staff who reasonably need it and limited to appropriate methods of access.
If a Customer, or their Parent/Guardian, wish to view the information we hold for them or exercise any of their rights under the General Data Protection Regulations, a written request needs to be made. Any such request should be marked for the attention of Sarah Hauer, HQ Director, and made either by post to the HQ Academy’s address or by email to [email protected] .
Computers
All staff will have access to customer information on the computer located at the CMA HQ Academy building. This is to enable them to obtain emergency contact information and medical information and to contact customers in the event of an unexpected closure or other necessary communication.
Selected members of staff who have a legitimate need to may be granted access to this data remotely (see cloud storage) but the following will always apply:
- All computers used by CMA HQ will use encryption on hard drives that contain customer data;
- All computers used to access customer data will be password or pass number protected;
- Pass numbers will be issued to staff on a need-to-know basis not an individual basis in that all staff requiring a certain level of access will be given the same access credentials. Should any member of staff leave the organisation those access credentials will be changed at the earliest opportunity;
- Computers will be locked when not in use.
If a Computer is lost, the passwords for all cloud storage services accessed by that Computer will be changed by the end user where the power to do so is with the end user. Otherwise, the passwords will be changed by the Data Protection Officer as soon as it is reasonably practicable to do so (see Breaches of Data Protection below).
Should the PC, laptop or similar device support remote wiping, this facility will be triggered at the earliest opportunity by the end user.
Mobile and Removable Storage Devices
All staff have access remotely to a shared calendar which may contain bookings and other appointment information for customers such as their full name and age. This will not contain contact information, financial information or other customer identifiable data.
Selected members of staff who have a legitimate need to may be granted access to customer contact information on mobile devices and/or access to cloud storage via mobile device (see Cloud Storage). The following will always apply:
- Mobile device policy used by email services will enforce password/pass number or biometric protection on the mobile device where technically possible;
- Regardless of the above all mobile device will be made password/pass number or biometrically protected by the end user;
- Staff members will remote wipe any device lost or stolen at the earliest possible opportunity and change any passwords directly under their control.
Any data mentioned or alluded to within this policy will not be stored on removable storage devices, unless it is approved by the Data Protection Officer to ensure that it is appropriately encrypted and secure.
Cloud Storage
Customer data stored in the cloud will be stored only on services declared compliant with current data protection legislation. Currently, our cloud storage system is ‘OneDrive for Business’ provided by Microsoft. Access to this data will be possible from the base computer at the CMA HQ Academy or remotely from computers meeting the requirements specified earlier.
Remote access, controlled by user id/password will only be granted to staff members with a legitimate need and only for as long as that need holds. This will apply to access by computer application, browser, mobile device application or similar.
Customer information is also stored on email/contact services (currently Microsoft Exchange) to allow for email communication and telephone directory synchronisation. This service will for the sake of this document be regarded as ‘cloud storage’.
Paper Documents
Paper documents will, where practical to do so, be digitised and the originals destroyed once there is no practical need for paper copies. Whilst paper copies are in use the following measures apply:
- Paper documents will be transported in a way that they cannot be viewed (such as in an envelope or folder);
- Paper documents will not be left unattended except in a secure environment such as a locked office, building or cupboard. Documents may be temporarily stored in motor vehicles or transportable cases for the purposes of transporting them to one of aforementioned secure environments.
Sharing Information
CMA HQ will only share information with third parties where that third party has a need for the information. This is advised to members at enrolment and advertised around the Academy building. Further, all such third parties will be asked to confirm that they comply with current data protection legislation and have in place procedures for dealing with shared information in line with said legislation.
Breaches of Data Protection
Any breach, or potential breach of data protection or this policy, regardless of whether the breach has been dealt with in accordance with the requirements specified above (e.g. remote wiping of phones), must be reported immediately to the Data Protection Officer at CMA HQ. Anyone can make this report.
The Data Protection Officer will ensure any necessary passwords have been changed to ensure cloud services remain secure or change them as soon as it is reasonably practicable to do so, but always within the time frames required under the General Data Protection Regulations.
The breach (or potential breach) will be recorded appropriately and if necessary reported as required per current data protection legislation. Where a breach results in the loss of customer information, the customer will be informed in writing by way of email, and where possible verbally, as soon as it is reasonably practicable to do so. Any such communication will include what information has been obtained, who is likely to have access to it and what steps we are taking to recover the data or mitigate the impact of it having an adverse effect on their rights and freedoms.
Staff / Franchise Requirements
All staff / Franchises will be required to read and understand this document and comply with the requirements specified therein before having access to any of the information covered by this policy. They will sign a statement to this effect.
