General Data Protection Regulation Policy 

Statement

GDPR stands for General Data Protection Regulation and replaces the previous Data Protection 

Directives that were in place. It was approved by the EU Parliament in 2016 and comes into effect on 25th May 2018. 

GDPR states that personal data should be ‘processed fairly & lawfully’ and ‘collected for specified, explicit and legitimate purposes’ and that individuals data is not processed without their knowledge and are only processed with their ‘explicit’ consent. GDPR covers personal data relating to individuals. Ballet Malvern Centre of Dance is committed to protecting the rights and freedoms of individuals with respect to the processing of children's, parents, visitors and staff personal data. 

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. 

GDPR includes 7 rights for individuals

1) The right to be informed 

Ballet Malvern is required to collect and manage certain data. We need to know parent’s names, addresses, telephone numbers, email addresses. We need to know children’s’ full names, addresses, date of birth, along with any SEN requirements. 

We are required to collect certain details of visitors to our School. We need to know visitors names, telephone numbers, and where appropriate company name. This is in respect of our Health and Safety and Safeguarding Policies. 

Ballet Malvern Centre of Dance is required to hold data on its Teachers; names, addresses, email addresses, telephone numbers, date of birth, National Insurance numbers, photographic ID such as passport and driver’s license, bank details. This information is also required for Disclosure and Barring Service checks (DBS) and proof of eligibility to work in the UK. This information is sent via a secure file transfer system to UCheck for the processing of DBS checks. DBS Numbers and date of issue are also held on a central staffing record.

2) The right of access 

At any point an individual can make a request relating to their data and Ballet Malvern Centre of Dance will need to provide a response (within 1 month). Ballet Malvern Centre of Dance can refuse a request if we have a lawful obligation to retain data but we will inform the individual of the reasons for the rejection. The individual will have the right to complain to the ICO if they are not happy with the decision. 

3) The right to erasure 

You have the right to request the deletion of your data where there is no compelling reason for its continued use. However, Ballet Malvern Centre of Dance has a legal duty to keep children’s and parents details for a reasonable time, Ballet Malvern Centre of Dance retains these records for 3 years after leaving the school, children's accident and injury records for 19 years (or until the child reaches 21 years), and 22 years (or until the child reaches 24 years) for Child Protection records. Staff records must be kept for 6 years after the member leaves employment, before they can be erased. This data is archived securely onsite and shredded after the legal retention period. 

4) The right to restrict processing 

Parents, visitors and staff can object to Ballet Malvern Centre of Dance processing their data. This means that records can be stored but must not be used in any way, for example reports or for communications. 

5) The right to data portability 

Ballet Malvern Centre of Dance requires data to be transferred from one IT system to another; such as from Ballet Malvern Centre of Dance to the Local Authority, for performance BOPA licences, and dance Associations for examinations. These recipients use secure file transfer systems and have their own policies and procedures in place in relation to GDPR. 

6) The right to object 

Parents, visitors and staff can object to their data being used for certain activities like marketing or research. 

7) The right not to be subject to automated decision-making including profiling. 

Automated decisions and profiling are used for marketing based organisations. Ballet Malvern Centre of Dance does not use personal data for such purposes. 

Storage and use of personal information 

All paper copies of children's and staff records are kept in a locked filing system in Ballet Malvern Centre of Dance studios. Members of staff can have access to these files, but information taken from the files about individual children is confidential and apart from archiving, these records remain on site at all times. These records are shredded after the retention period. 

Information about individual children is used in certain documents, such as, a weekly register, medication forms, referrals to external agencies and disclosure forms. These documents include data such as children's names, date of birth and sometimes address. These records are shredded after the relevant retention period. 

Ballet Malvern Centre of Dance collects a large amount of personal data every year including; names and addresses of those on the waiting list. These records are shredded if the child does not attend or added to the child’s file and stored appropriately. 

Information regarding families’ involvement with other agencies is stored both electronically on a Password protected memory stick and in paper format, this information is kept in a locked filing cabinet at Ballet Malvern Centre of Dance studios. These records are shredded after the relevant retention period. 

Ballet Malvern Centre of Dance stores personal data held visually in photographs or video clips or as sound recordings unless written consent has been obtained via the Performer Release form/fit to Perform agreement form. No names are stored with images in photo albums, displays, on the website or on Ballet Malvern Centre of Dance social media sites. 

Access to all Office computers is password protected. When a member of staff leaves the company, these passwords are changed in line with this policy and our Safeguarding policy. Any portable data storage used to store personal data, e.g. USB memory stick, are password protected and/or stored in a locked filing cabinet. 

GDPR means that Ballet Malvern Centre of Dance must;
* Manage and process personal data properly
* Protect the individual’s rights to privacy
* Provide an individual with access to all personal information held on them 

 

This Policy was adapted at a meeting at Ballet Malvern Centre of Dance in May 2018 Signed on behalf of Ballet Malvern Centre of Dance 

RKSloan-Kirton

Policy review date: September 2018

 

Retention periods for records 

Children’s records 

Retention period 

Status 

Authority 

 

Children’s records - including registers, medication record books and accident record books pertaining to the children 

A reasonable period of time after children have left the provision (e.g. until after the next Ofsted inspection) 

Requirement 

Statutory Framework for the Early Years Foundation Stage (given legal force by Childcare Act 2006) 

 

Until the child reaches the age of 21 - or until the child reaches the age of 24 for child protection records 

Recommenda tion 

Limitation Act 1980 

Normal limitation rules (which mean that an individual can claim for negligently caused personal injury up to 3 years after, or deliberately caused personal injury up to 6 years after the event) are postponed until a child reaches 18 years of age 

 

Records of any reportable death, injury, disease or dangerous occurrence 

   

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (as amended)

 

 

 

3 years after the date the record was made 

 

Requirement 

 

Personnel records 

Retention period 

Status 

Authority 

 

 

Personnel files and training records (including disciplinary records and working time records) 

6 years after employment ceases 

Recommenda tion 

Chartered Institute of Personnel and Development 

 

DBS check 

6 months 

Recommendat ion 

DBS Code of Practice 

The following basic information should be retained after the certificate is destroyed: the date of issue; the name of the subject; the type of disclosure; the position for which the disclosure was requested; the unique reference number; and the details of the recruitment decision taken 

Pay 

Wage/salary records (including overtime, bonuses and expenses) 

6 years 

Requirement 

Taxes Management Act 1970 

Statutory Maternity Pay (SMP) records 

3 years after the end of the tax year to which they relate 

Requirement 

The Statutory Maternity Pay (General) Regulations 1986 

Statutory Sick Pay (SSP) records 

3 years after the end of the tax year to which they relate 

Requirement 

The Statutory Sick Pay (General) Regulations 1982 

 

 

 

 

Income tax and National Insurance returns/records 

   

The Income Tax (Employments) Regulations 1993 (as amended) 

 

At least 3 years after the end of the tax year to which they relate 

 

Requirement 

 

   
 

 

Redundancy details, calculations of payments, refunds, notification to the Secretary of State 

6 years after employment ends 

Recommenda tion 

Chartered Institute of Personnel and Development 

 

Health and safety 

 

Staff accident records (for organisations with 10 or more employees) 

3 years after the date the record was made (there are separate rules for the recording of accidents involving hazardous substances) 

Requirement 

Social Security (Claims and Payments) Regulations 1979 

 

Records of any reportable death, injury, disease or dangerous occurrence 

3 years after the date the record was made 

Requirement 

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (as amended) 

 

 

Accident/medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH) 

40 years from the date of the last entry 

Requirement 

The Control of Substances Hazardous to Health Regulations 2002 (COSHH) 

 

Assessments under Health and Safety Regulations and records of consultations with safety representatives 

Permanently 

Recommenda tion 

Chartered Institute of Personnel and Development 

 

Financial records 

Retention period 

Status 

Authority 

 

   
 

 

Accounting records 

3 years from the end of the financial year for private companies, 6 years for PLC

Requirement 

Companies Act 2006 

 

       

 

6 years for charities 

Requirement 

Charities Act 2011 

 

Administration records 

Retention period 

Status 

Authority 

 

Employers’ liability insurance records 

For as long as possible 

Recommenda tion 

Health and Safety Executive 

 

 

Minutes/minute books 

10 years from the date of the meeting for companies 

Requirement 

Companies Act 2006 

 

6 years from the date of the meeting for Charitable Incorporated Organisations 

Requirement 

The Charitable Incorporated Organisations (General) Regulations 2012 

 

   

Chartered Institute of Personnel and Development 

 

Recommendat ion 

 

Permanently