Our Statement of Compliance

 

Sporting Dreams Group

Data Protection Policy - Statement for schools

OUR STATEMENT OF COMPLIANCE

 

1.0   - WHO WE ARE

Sporting Dreams, is a sole trader sports education company providing sports coaching and educational services to children, adults, schools and community groups throughout the UK and Europe. We deliver PE and sports programmes across the UK and Europe using the services of qualified and experienced Sports Coaching Professionals.

 

2.0   - THE STEPS WE’VE TAKEN TO REACH COMPLIANCE

Sporting Dreams Group had a full data audit carried out at the end of 2018, which outlined the changes we needed to make to our data handling processes in order to reach GDPR compliance. We have actioned this, and are now fully GDPR compliant.

 

As part of this process, we updated our Privacy Policy and Data Protection Policy, carried out Data Protection Impact Assessments and will be updating our Service Level Agreements with all schools. We’ve confirmed all our third-party data processors and suppliers are also GDPR compliant, verified the security of the servers our data is stored on and purged our database of out-of-date data as well as establishing policies for data retention and deletion.

 

If you have questions that are not answered in this document, please direct them to info@sporting-dreams.co.uk

 

3.0   - THE PERSONAL INFORMATION WE PROCESS

• 3.1 PARENTAL DATA (ONCE THEY ARE A Sporting Dreams CUSTOMER)

What information we will hold on parents

When parents sign their child up for a Sporting Dreams course, we collect the following information from them: name, relation to child, email address, phone number, home address, and payment details How we will use it We collect parent’s names, email addresses, phone numbers, home addresses, and financial info for billing purposes, and to send them information relating to their booking (e.g. if their child needs to bring a certain item of clothing, or if there has been a change of timing or location). If they opt-in to receiving emails, we send a parent’s newsletter once a month, as well as occasional marketing emails filled with content we think will be of interest to them.

 

Our justification for holding this data

We have a contractual need to keep information relating to billing, and we have informed consent from parents to send them marketing information. We may also need to get in touch with them in the event of an emergency relating to their child.

 

With whom we may share parent’s data

We will only share parent’s information with those parties who may need to see this, for example members of staff to process their child’s membership. Some of our technical support processors may also see sight of parent’s information, and you can read more in Section 4 about where their data is stored in relation to servers, and web-based marketing systems we use to deliver emails.

 

How long we’ll keep parental data

We will retain data during the life of the relationship with the customer and then for three years thereafter. This includes contact details and payment information. Data referring to their children will be stripped back to non-data subject level (i.e. anonymised so it can’t be linked back to them or their children) for the purpose of impact reporting.

 

We reserve the right to delete customer’s marketing data from our system if parents no longer fulfil our sales criteria - i.e. if they have not made a purchase from us for the past two years, have not opened the last 11 of our emails, or if the children they are booking courses for are now older than the age range we deliver to (4-12 years old). In these scenarios, we will retain the bare minimum of information (i.e. their email address) on a Suppressed list held within Sendgrid, to ensure we do not contact the individual again once they have been removed from our email lists.

 

Customers will be emailed every 12 months to check their communication preferences are up to date. This will be handled by a Sendgrid workflow based on the date the customer’s account was created. Information about where a contact has come from, what their email preferences are and when this information was given will all be stored within the user’s record in Sendgrid.

 

If parents want to withdraw consent for marketing, they can update their communication preferences by emailing info@sporting-dreams.co.uk.

 

3.2 - CHILDREN’S DATA

What information we will hold on Sporting Dreams children

When schools or parents sign their children up with Sporting Dreams, we collect the following information from them about their children: name, DOB, gender, school, a record of their performance in Sporting Dreams courses and medical information. During Sporting Dreams courses, we will also need to record attendance.

 

How we will use it

We collect names, DOBs, gender, school name and a record of their attainment against National Curriculum standards on Sporting Dreams programmes for monitoring and reporting purposes. This means we can see how many children we have activated, in which regions, and what the overall impact on their attainment and health has been.

 

We have a safety need to record children’s attendance in our courses by taking registers, and keeping a record of their medical information in case of an emergency during a Sporting Dreams session. Our justification for holding this data. We ask for school or parental consent when they sign their child up to Sporting Dreams activity to hold their name, DOB, gender, school name and a record of their performance on Sporting Dreams courses and also their medical history.

 

We also have a contractual need to hold some of this information, like their name, school name and attainment. Keeping a record of their attendance and medical information is known as a ‘vital interest’ justification, as we need to know this to safeguard your child and is also required to comply with our legal obligations.

 

Who we share children’s data with

See Section 4 for information about where children’s data is stored in relation to servers, and webbased marketing systems we use to deliver emails.

 

How long we’ll keep children’s data

We will retain data during the life of the relationship with the customer and then for three years thereafter. Data referring to children after this time will be stripped back to non-data subject level (i.e. anonymised so it can’t be linked back to parents or their children) for the purpose of impact reporting.

 

3.3 - SCHOOLS’ DATA

What information we will hold on schools

We hold email addresses of teachers and headteachers (both named and generic addresses), the postal address & telephone number of school.

 

In some cases, we hold a record of pupil’s attainment against National Curriculum standards on Sporting Dreams programmes for monitoring and reporting purposes. This means we can see how many children we have activated, in which regions, and what the overall impact on their attainment and health has been.

 

See Section 4 for information about where schools’ data is stored in relation to servers

 

How we will use it

We hold contact information (email addresses, postal addresses and phone numbers) for billing purposes. We also retain email addresses in order to contact schools with marketing information with think will be of interest to them.

 

We have a contractual need to hold records of pupil’s attainment against National Curriculum standards and provide this to schools for reporting purposes.

 

Our justification for holding this data

We have a contractual need to retain email addresses, postal addresses and phone numbers in order to contact schools for billing purposes. We have a legitimate interest to contact schools who have not yet started working with Sporting Dreams.

 

Who we share your data with

See Section 5 for information about where your data is stored in relation to servers, and web-based marketing systems we use to deliver emails and across group.

 

How long we’ll keep your data

We have the right to retain data which is in the public domain, including school names, addresses, phone numbers and generic email addresses. We will retain pupil data for the lifetime of the school’s contract with us. If a school ends their contract with us, we will delete all pupil data for that school three months after the end of the current academic year.

 

4.0   - WHERE THIS DATA IS HELD

4.1 SCHOOL & FAMILY PORTAL

If you create an account through our website, your information is stored in our bespoke Business Management System, which has its own secure server. Data provided via the forms on our Schools or Family portal is securely held and stored solely by us on Sporting Dreams owned servers. Our server, which we manage ourselves, is hosted in the UK with a company called GoDaddy (www.GoDaddy.com). The server Operating System is kept up to date via automatic security patches and all software used is still supported (including PHP).

 

All our sites use HTTPS encryption to protect any sensitive data in transit from the server to the browser.

 

4.2 - MARKETING DATA

Once you have opted in to receive marketing information from us, your data is securely encrypted and then securely transmitted to the Sendgrid’s secure servers using PHP scripts. There, the data is stored on Sendgrid’s computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. Sendgrid’s current security and storage policy can be found here https://sendgrid.com/policies/security/

 

We then access these details via the Sendgrid’s Client Management Portal logging into the Sendgrid secure servers, where your details are only accessed by authorised admin personnel at the Sporting Dreams Group. You will only ever receive correspondence via Sporting Dreams Group or an authorised sender based on the notification settings in your account. We shall process your details with your consent.

5.0 - THE TECHNICAL AND ORGANISATIONAL SECURITY MEASURES WE HAVE IN PLACE TO PROTECT PERSONAL DATA

5.1 - SHARING OR TRANSFERRING YOUR DATA

Occasionally we will need to share or transfer your data with our trusted third-party data processors or within the Sporting Dreams group subsidiaries. When we transfer data, we will securely encrypt it before transferring.

 

We are based in the UK, and under GDPR, we can transfer data between countries which adhere to similarly stringent data protection legislation. This includes the USA, where some of Sendgrid’s servers are based. See section 7 for Sendgrid’s Privacy Policy.

 

Where we use data processors outside of the EU we will only use those who can guarantee the safety of your information. We will transfer your information to our processors using our legitimate business interests.

 

5.2 AUTOMATED PROCESSING

With your consent, we will carry out a limited number of automated processes relating to your data. This may include automatically sending you information we think will be of interest to you based on what you’ve engaged with in the past or sending you reminder emails if we think you’ve forgotten to complete a purchase. You can opt out of automated processing at any time.

 

6.0   - OUR THIRD-PARTY DATA PROCESSORS

We use several third-party organisations to process personal data on our behalf. These organisations have been selected in part due to their commitment to data security. All are GDPR-compliant. Those based in the USA are also EU-US Privacy Shield compliant

7.0   - OUR DATA RETENTION POLICY

We reserve the right to delete your data from our system if you no longer fulfil our sales criteria - i.e. you have not made a purchase from us for the past two years, you have not opened the last 11 of our emails, or if the children you are booking courses for are now older than the range we deliver to (4-12 years old).

 

In these scenarios, we will retain the bare minimum of information (i.e. your email address) on a Suppressed list, to ensure we do not contact you again once you have been removed from our email lists.

 

We have the right to retain data which is in the public domain, including school names, addresses, phone numbers and generic email addresses.

We will retain pupil data for the lifetime of the school’s contract with us. If a school ends their contract with us, we will delete all pupil data for that school three months after the end of the current academic year.

 

8.0   - DATA CONTROLLER

The data controller of this website is Sporting Dreams, Registered address & operating office: Sporting Dreams, The Sports Building, 44 New Street, Hinckley, Leicestershire, England, UK, LE10 1QZ

 

9.0   - DATA PROTECTION OFFICER

Our Data Protection Officer’s contact information is: Darren Hill 07813175444 darren@sporting-dreams.co.uk


 

Copyright © 2019 Sporting Dreams. All rights reserved.

Website Design by Flamingoat in Leicester