DATA PROTECTION

1. Background

Data protection is an important legal compliance issue for Teddington Camps. During the course of the our activities we collect, store and process personal data (sometimes sensitive in nature) about staff, children, their parents, suppliers and other third parties (in a manner more fully detailed in the our Privacy Notices. It is therefore an area where all staff have a part to play in ensuring we comply with and are mindful of our legal obligations, whether that personal data is sensitive or routine.

The law changed on 25 May 2018 with the implementation of the General Data Protection Regulation (GDPR). This is an EU Regulation that is directly effective in the UK and throughout the rest of Europe. The Data Protection Act 2018 also deals with certain issues left for national law. In particular, in the context of our safeguarding obligations, the organisation has a heightened duty to ensure that the personal data of children is at all times handled responsibly and securely. The Information Commissioner's Office (ICO) is responsible for enforcing data protection law and has powers to take action for breaches of the law.

Those who are involved in the processing of personal data are obliged to comply with this policy when doing so. Accidental breaches will happen and may not be a disciplinary issue, but any breach of this policy may result in disciplinary action. This policy may be amended at any time.

This policy sets out the expectations and procedures with respect to processing any personal data we collect from data subjects (e.g. including parents, children, staff).

Key data protection terms used in this data protection policy are:

  • Data controller – an organisation that determines the purpose and means of the processing of personal data. For example, the organisation is the controller of children’s personal information. As a data controller, we are responsible for safeguarding the use of personal data.

  • Data processor – an organisation that processes personal data on behalf of a data controller, for example a payroll provider or other supplier of services.

  • Personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • Personal information (or personal data): any information relating to a living individual (a data subject), including name, identification number, location or online identifier such as an email address. Note that personal information created in the ordinary course of work duties (such as in emails, notes of calls, and minutes of meetings) is still personal data and regulated by data protection laws, including the GDPR. Note also that it includes expressions of opinion about the individual or any indication of someone’s intentions towards that individual.

  • Processing – virtually anything done with personal information, including obtaining or collecting it, structuring it, analysing it, storing it, sharing it internally or with third parties (including making it available to be viewed electronically or otherwise), altering it or deleting it.

  • Special categories of personal data – data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and medical conditions, sex life or sexual orientation, genetic or biometric data used to identify an individual. There are also separate rules for the processing of personal data relating to criminal convictions and offences.

2. Head of Data Protection

Teddington Camps has appointed Matt Searle as the Head of Data Protection who will endeavour to ensure that all personal data is processed in compliance with this Policy and the principles of the GDPR. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to him.

3. The Principles

The GDPR sets out six principles relating to the processing of personal data which must be adhered to by data controllers (and data processors). These require that personal data must be:

1.    Processed lawfully, fairly and in a transparent manner;

2.    Collected for specific and explicit purposes and only for the purposes it was collected for;

3.    Relevant and limited to what is necessary for the purposes it is processed;

4.    Accurate and kept up to date;

5.    Kept for no longer than is necessary for the purposes for which it is processed; and

6.    Processed in a manner that ensures appropriate security of the personal data.

The GDPR's 'accountability' principle also requires that we not only process personal data in a fair and legal manner but that we are also able to demonstrate that our processing is lawful.  This involves, among other things:

  • keeping records of our data processing activities, including by way of logs and policies;

  • documenting significant decisions and assessments about how we use personal data; and

  • generally having an 'audit trail' with regard to data protection and privacy matters, including for example when and how our Privacy Notices were updated, how and when data protection consents were collected from individuals, how breaches were dealt with, etc.

4. Lawful grounds for data processing

Under the GDPR there are several different lawful grounds for processing personal data. One of these is consent. However, because the definition of what constitutes consent has been tightened under GDPR (and the fact that it can be withdrawn by the data subject) it is generally considered preferable to rely on another lawful ground where possible. 

One of these alternative grounds is 'legitimate interests', which is the most flexible basis for processing. However, it does require transparency and a balancing assessment between the rights of the individual and the interests of the Controller. It can be challenged by data subjects and also means the Controller is taking on extra responsibility for considering and protecting people's rights and interests. The company’s  legitimate interests are set out in its Privacy Policy, as GDPR requires. 

Other lawful grounds include:

  • compliance with a legal obligation, including in connection with employment and diversity;

  • contractual necessity, e.g. to perform a contract with staff or parents;

  • a narrower set of grounds for processing special categories of personal data (such as health information), which includes explicit consent, emergencies, and specific public interest grounds.

5. Headline responsibilities of all staff

Record-keeping

It is important that personal data held by the company is accurate, fair and adequate. You are required to inform the company if you believe that your personal data is inaccurate or untrue or if you are dissatisfied with the information in any way. Similarly, it is vital that the way you recording the personal data of others – in particular colleagues, children and their parents – is accurate, professional and appropriate.

Staff should be aware of the rights set out below, whereby any individuals about whom they record information in emails and notes on company business may have the right to see that information. This absolutely must not discourage you from recording necessary and sometimes difficult records of incidents or conversations involving colleagues or children, in accordance with the company’s other policies, and grounds may sometimes exist to withhold these from such requests. However, the starting position is to record every document or email in such a way that you would be able to stand by it if the person about whom it was recorded were to see it.

Data handling

All staff have a responsibility to handle the personal data which they come into contact with fairly, lawfully, responsibly and securely and in accordance with and all relevant company policies and procedures. In particular, there are data protection implications across a number of areas of our wider responsibilities such as safeguarding and IT security, so all staff should read and comply with the following policies:

  • Acceptable Usage Policy

  • Confidential Waste Disposal Policy

  • Images of Children Policy

  • Information Technology Physical Security Policy

  • IT Operational Management Policy

  • Records Management Policy

  • Remote Working Policy

  • IT Disposal Policy

Responsible processing also extends to the creation and generation of new personal data / records, as above, which should always be done fairly, lawfully, responsibly and securely.

Avoiding, mitigating and reporting data breaches

One of the key new obligations contained in the GDPR is on reporting personal data breaches. Teddington Camps must report certain types of personal data breach (those which risk an impact to individuals) to the ICO within 72 hours. 

In addition, we must notify individuals affected if the breach is likely to result in a "high risk" to their rights and freedoms. In any event, the company must keep a record of any personal data breaches, regardless of whether we need to notify the ICO. If you become aware of a personal data breach you must notify Matt Searle as soon as possible. If staff are in any doubt as to whether or not you should report something, it is always best to do so. A personal data breach may be serious, or it may be minor, and it may involve fault or not, but the company always needs to know about them to make a decision and take relevant action. 

As stated above, Teddington Camps may not need to treat the incident itself as a disciplinary matter – but a failure to report could result in significant exposure for the company, and for those affected, and could be a serious disciplinary matter whether under this Policy or the staff member’s contract.

Care and data security

More generally, we require all our staff to remain conscious of the data protection principles (see section 3 above), to attend any training we require them to, and to use their best efforts to comply with those principles whenever they process personal information. Staff should always consider what they most assured and secure means of delivery is, and what the consequences would be of loss or unauthorised access. 

We expect all those with management / leadership responsibilities to be particular champions of these principles and to oversee the swift reporting of any concerns about how personal information is used by the company to Matt Searle and to identity the need for (and implement) regular staff training.

6. Rights of Individuals

In addition to the company’s responsibilities when processing personal data, individuals have certain specific rights, perhaps most significantly that of access to their personal data held by a data controller (i.e. Teddington Camps). This is known as the 'subject access right' (or the right to make 'subject access requests'). Such a request must be dealt with promptly and does not need any formality, nor to refer to the correct legislation. If you become aware of a subject access request (or indeed any communication from an individual about their personal data), you must tell Matt Searle as soon as possible.

Individuals also have legal rights to:

  • require us to correct the personal data we hold about them if it is inaccurate;

  • request that we erase their personal data (in certain circumstances);

  • request that we restrict our data processing activities (in certain circumstances);

  • receive from us the personal data we hold about them for the purpose of transmitting it in a commonly used format to another data controller;

  • object, on grounds relating to their particular situation, to any of our particular processing activities where the individual feels this has a disproportionate impact on them; and

  • object to automated individual decision-making, including profiling (where a significant decision is made about the individual without human intervention), and to direct marketing, or to withdraw their consent where we are relying on it for processing their personal data.

Except for the final bullet point, none of these rights for individuals are unqualified and exceptions may well apply. In any event, however, if you receive a request from an individual who is purporting to exercise one or more of their data protection rights, you must tell Matt Searle as soon as possible.

7. Data Security: online and digital 

Teddington Camps must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Staff must refer to the company’s  IT policies, including the Remote Working Policy to ensure they are following authorised ways of working.

8. Processing of Credit Card Data

The company complies with the requirements of the PCI Data Security Standard (PCI DSS). Staff who are required to process credit card data must ensure that they are aware of and comply with the most up to date PCI DSS requirements.

STAFF RECRUITMENT POLICY

At Teddington Camps we incorporate safer recruitment procedures into all aspects of our recruitment procedure. We have a well-planned, structured and transparent process with consistent application. Our aim is to deter the wrong people from applying and prevent the wrong people from being appointed. 

Job descriptions and person specification documents:

  • Safeguarding responsibilities of the role are clearly defined.

Advertising and shortlisting:

  • All job advertisements state Teddington Camps’s commitment to safeguarding and the promotion of child welfare.

  • It is made clear that a DBS check will be carried out, there should be no gaps in CVs and that references will be checked.

  • Shortlisting is done by two people working independently to ensure that a fair and transparent shortlist of candidates. Shortlisting is done with the person specification in mind.

Interview and coaching session:

  • Applicants are invited to face-to-face interviews and asked to deliver an assessed coaching session.

  • All applicants are informed before their interview that we will follow up references, we require a DBS disclosure or overseas police check, all gaps in CVs are to be accounted for and proof of identity and qualifications will be required.

  • For each position a set of interview questions is created and includes safer recruitment questions. All staff members involved in recruitment have access to examples of safer recruitment questions along with examples of responses which would cause concern.

References:

  • Teddington Camps recognises the importance of references in providing an indicator of future performance.

  • We require one written reference and one phone reference where a written record is kept of a verbal reference and a template is followed. The person spoken to, position and date is noted.

  • Any causes for concern that arise from a reference are followed up with the applicant.

  • A position offered to a successful applicant is always subject to references and an enhances DBS check or police check.

Referrals to the Disclosure and Barring Service (DBS)

A referral must be made to the DBS when Teddington Camps withdraws permission for an individual to engage in work with under-18s or would have done so had that individual nor resigned, retired, been made redundant or been transferred to a position which does not involve contact with under-18s, because they think the individual has:

  • Engaged in relevant conduct; i.e. action or inaction that has caused neglect, emotional/psychological, sexual or physical harm.

  • Satisfied the Harm Test; to harm or cause harm, put a child at risk, attempt to harm or incite others to harm.

  • Received a caution or conviction for a relevant offence.

If these conditions have been met the information must be referred to the DBS. Their referral should be made to the DBS when the provider has gathered sufficient evidence as part of their investigations to support their reasons for withdrawing permission to engage in work with under-18s and in following good practice, consulted with their Local Authority Designated Officer (LADO) or Health and Social Care Trust Designated Officer, if appropriate.

Selection: Applicants are informed of the results of the interview within a week. Confirmation of fixed term and pay is given in writing with a contract and full terms and conditions to follow before date of employment. All unsuccessful interviewees are informed by email.

IMAGES OF CHILDREN POLICY

Taking, storing and using images of children policy:

This Policy is intended to provide information to children and their parents, carers or guardians about how images of children are normally used by Teddington Camps. It also covers our company approach to the use of cameras and filming equipment at company events, live streaming, and on premises by parents, other visitors and children themselves, and the media. 

Parents who book a place for their child at our camps or coaching sessions are asked to agree to using images of him/her as set out in this policy via our consent form and from time to time if a particular use of the child's image is requested. We hope parents will feel able to support our company in using images to celebrate the achievements of children, promote our work, and for important administrative purposes such as identification and security. 

Any parent who wishes to limit the use of images of a child for whom they are responsible should contact Teddington Camps in writing, in addition to declining the permission request on the online booking forms.  Teddington Camps will respect the wishes of parents/carers (and indeed children themselves) where reasonably possible, and in accordance with this policy. Parents should be aware that, from around the age of 12 and upwards, the law recognises pupils' own rights to have a say in how their personal information is used – including images.

Use of Child Images in Company Publications:

Unless the relevant child or his or her parent has requested otherwise, Teddington Camps will use images of its children to keep the Teddington Camps community updated on the activities that have taken place, and for marketing and promotional purposes, including: 

  • on internal displays (including clips of moving images) on digital and conventional notice boards within Teddington RFC premises;

  • in communications with the company community.

  • on our company website and, where appropriate, via company social media channels. Such images would not normally be accompanied by the child's full name without permission

Use of Child Images for Identification and Security:

CCTV is in use on Teddington RFC premises and will sometimes capture images of children. Images captured on Teddington RFC’s CCTV system are used in accordance with our Data Protection Policy, and any other information or policies concerning CCTV which may be published by Teddington RFC from time to time.

Use of Child Images in the Media:

Where practicably possible, Teddington Camps will always notify parents in advance when the media is expected to attend an event or school activity in which pupils are participating and will make every effort to ensure that any child whose parent or carer has refused permission for images of that child to be made in these circumstances are not photographed or filmed by the media. The media normally asks for the names of the relevant children to go alongside the images, and these will be provided where parents have been informed about the media's visit and either the parent or child has consented as appropriate. 

Security of Child Images:

Professional photographers and the media are always accompanied by a member of staff when at Teddington RFC. Teddington Camps uses only reputable professional photographers and makes every effort to ensure that any images of children are held by them securely, responsibly and in accordance with company instructions. 

Teddington Camps takes appropriate technical and organisational security measures to ensure that images of children held by our company are kept securely, and protected from loss or misuse, and will take reasonable steps to ensure that members of staff only have access to images of children held by the company where it is necessary for them to do so. 

All staff are given guidance on company Policy on Taking, Storing and Using Images of Children, and on the importance of ensuring that images of children are made and used responsibly, only for school purposes, and in accordance with our policies and the law. Images of children in a safeguarding context are dealt with under our relevant safeguarding policies.

Use of Cameras and Filming Equipment by Children:

Cameras or filming equipment (including on mobile phones) must not be used to photograph or record children or members of staff. Children may use their mobile phone within a break or activity only under the clear guidance from the teacher, for a very specific task. 

The misuse of cameras or filming equipment in a way that breaches this Policy, or Teddington Camps Anti-Bullying Policy, Data Protection Policy for Children, Parents and Carers, IT Acceptable Use Policy for Children is always taken seriously and may be the subject of disciplinary procedures or dealt with under the relevant safeguarding policy as appropriate.

INSURANCE 

Please contact our team at Teddington Camps if you wish to discuss any matters regarding insurance cover.