Data Protection – PRIVACY NOTICE

  1. INTRODUCTION
  1. Purpose of Document

The purpose of this document is to:

  • Describe the steps taken to protect Personal Data which is held by the

Arundel & Downland Community Leisure Trust (aka Arundel Lido) and its two subsidiary companies, Arundel Farmers Market Ltd (which runs the monthly Farmers’ Market in Arundel Town Centre) and ACT Services Ltd (which runs the Car Park adjacent to Arundel Lido).

  • Identify the Personal Data which is held, the purposes for which it is held, the format in which it is held, the security mechanisms used to protect it, the period for which it is retained and the lawful basis for holding or processing it.
  1. General Security Mechanisms
  • All Personal Data which is held in paper form is stored in lockable cupboards and may only be accessed by authorised personnel.
  • All Personal Data which is held on the ACT Computer System is protected by Firewalls and can only be accessed by authorised personnel via User-ID and Password.
  • Sections 2, 3 and 4 below identify which personnel are authorised to access each category of Personal Data.
  1. Requests for Information

All requests for information (or Subject Access Requests) about the data held should be submitted, in writing, to:

The Data Protection Officer

Arundel & Downland Community Leisure Trust

Arundel Lido

Queen Street

ARUNDEL

BN18 9JG

  1. Structure of Document

The remaining Sections of this document describe the Categories of Personal Data as follows:

Section 2: Arundel & Downland Community Leisure Trust (including Arundel Lido)

Section 3: Arundel Farmers Market Ltd.

Section 4: ACT Services Ltd.

  1. ARUNDEL & DOWNLAND COMMUNITY LEISURE TRUST
  1. Category: Trustee/Director Data (applies to all 3 Companies)

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): The Trust, Companies House, the Charity Commission

Data held: Name/Address/Telephone Number/Email Address/Eligibility Declaration and Minutes/Notes of Meetings.

Processing Purpose: To maintain records of Trustees and Directors and of their meetings.

Format:

  1. Individual Trustee/Director Data is held on paper in a folder retained by the Trust Chair. It is passed on electronically to the Charity Commission and Companies House so that those bodies can maintain publicly-accessible computerised records of Trustees/Directors.
  2. Minutes/Notes of Meetings are maintained in both electronic and paper format.

Security: The data may only be accessed by authorised Trustees

Retention:

  1. Individual Trustee/Director Data may be removed from the Trust Chair’s folder, and securely destroyed, once an individual ceases to be a Trustee/Director.

However, the details on the Companies House and Charity Commission databases will be held in perpetuity.

  1. Minutes/Notes of Meetings form part of the history of the Trust and are maintained in perpetuity.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category: Membership Data

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): None other than the Trust

Data held: Name/Address/Telephone Number/Email Address/Membership Card Number/Category (Adult/Junior/Child)/Age (if Under-18 or Over-60)/Expiry Date

Processing Purpose: To enable the production of Season Ticket/Membership Cards and confirm identity on entry to the Arundel Lido site. Also, to enable contact to be made with other family members in the case of accident/illness to a family member.

Format:

Initially on paper (Membership Application)

Then keyed into Membership Database on EPOS-NOW

Retention:

The paper Membership Application is retained for a second year (in case of renewal) and then securely destroyed.

The EPOS-NOW records are subject to a 3-year Data Purge

Security: Only the Manager or a designated member of staff is authorised to enter or amend Membership Data. Access is controlled by User ID and Password.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category; Staff Data

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): The Trust, Xero Payroll, HMRC, NEST Pensions, EPOS-NOW

Data held:

  1. Prior to Employment: Name/Address/Tel No/ Email/Address/Qualifications/ Experience/Hobbies/Medical Data/ DBS Status
  2. After Employment

Name/ Address/ Tel No/Email Address/Qualifications/Rate of Pay/ Hours of   Work/Tax Code/NI Number/Pension Record/Bank Account Details/DBS Status

Processing Purpose:  To enable the recruitment of staff, to record their employment details and to process their pay.

Format:

  1. Prior to Employment: Job Application Form on paper.

If no offer of employment is made, this will be securely destroyed.

  1. After Employment: The Job Application Form will be transferred to the individual’s Personal File and will be supplemented by other information requested of the individual (NI Number, Tax Code and Bank Account details to enable payroll processing, copy of certificate of qualification, etc.).

The basic details of the individual will then be input to the Xero Payroll System and subsequently processed by that system and communicated to HMRC. If relevant, these details will also be forwarded to the NEST Pensions System

Very basic details (Name and Key Code) will also be held on the EPOS-NOW system – for the purpose of clocking-in and clocking-out.

Security: The hard-copy Personal Files are kept in a locked cabinet, accessible only by the Lido Manager.  Access to the XERO Payroll System for updating/amendment is limited to the Lido Manager and the Book-keeper and is password-controlled. The NEST Pensions System is only accessed by the Book-keeper. All computer access is controlled by Username and Password.

Retention: As required by law, basic Staff Data is retained for 7 years.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category: Facility Booking Data

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): None other than the Trust

Data held: Name/Address/Tel Number/ Email Address/ Date, Time & Type of Booking

Processing Purpose: To record details of facilities bookings for events and functions and to enable contact to be made with people who have booked.

Format:

Initially on paper (Booking Application).

Then entered to XERO Accounting System – to allow creation and despatch of invoices.

Security: Only the Manager or a Duty Manager is allowed to process bookings and only the Book-keeper is allowed to issue invoices. The hard-copy Bookings File is kept in a secure cabinet, whilst the Invoice Data can only be accessed via User ID and Password.

Retention: The paper Booking Applications and the computer records are deleted at the end of each Season.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category: Swim School Booking Data

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): None other than the Trust

Data held for Adults: Name/Address/ Tel No./Email /Dates & Times of Bookings

Data held for Children (Over-5s): Name of Parent or Guardian/ Address/Email Address/Name of Child/ Age of Child/Skill Level of Child/Relevant Medical Conditions/

Emergency Telephone Number

Processing Purpose: To record details of bookings for Swimming Lessons and enable contact to be made with people who have booked.

Format: Wholly on paper. Application details are filed in Swim School folder, by date and time of lessons.

Security: The Swim School folder is only accessible by the Manager and Swim Teachers.

Retention: All data are securely destroyed at the end of each Season.

Lawful Basis for Processing: LEGITIMATE INTERESTS

  1. Category: Email Data

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): The Trust, Mailchimp

Data held: Names and Email addresses

Processing Purpose: To enable Arundel Lido to notify its members of developments, forthcoming events and activities if they have positively indicated a wish to be thus informed.

Format: Names & Email Addresses are held in Group Email folders. Mailchimp is used to distribute messages.

Security: Members must have positively indicated on their Membership Application Form that they wish to be kept informed.  Access to the Group Email and Mailchimp data is restricted to the Lido Manager. Access is controlled by User-ID and Password.

Retention: Members can withdraw their consent to be kept informed at any time, in which case their records will be securely deleted.

Lawful Basis for Processing: LEGITIMATE INTERESTS

  1. Category: Credit/Debit Card Data

ACT is certified as DCI PSS Compliant.

Details of our “ACT PSS DCI POLICY” can be obtained on request.

  1. Category: CCTV

Data Controller: Arundel & Downland Community Leisure Trust

Data Processor(s): None other than the Trust

Processing Purpose: Security of Lido Site and adjacent Car Park

Data held: Video pictures of key areas

Format: Hard Disc & Screen Display

Security: Replays of video only accessible by Manager and designated Trustee

Retention: The Hard Disc is automatically over-written after one month

Lawful Basis for Processing: LEGITIMATE INTERESTS

  1. Category: Complaints and Enquiries

Data Controller: Arundel & Downland Community Leisure Trust

             Data Processor(s): None other than the Trust

Data held: Name/Address/ Post Code/Tel. No./Email Address

Processing Purpose: To note details of Complaint/Enquiry and respond

Format: Complaints/Enquiries may be received on paper or via email.

         They will receive responses in the same format.

Security:

  • Complaints: Each complaint received on paper or by email must receive a response from a Trustee.  S/he may to consult with other Trustees or Staff Members in order to deal with the complaint.
  • Enquiries: Enquiries received on paper or by email may be answered by a Trustee or the Lido Manager.

Retention:

  • Complaints may be retained for the record.
  • Enquiries will be destroyed/deleted as soon as they have been satisfied

Lawful Basis for Processing: LEGITIMATE INTERESTS

  1. ARUNDEL FARMERS MARKET LTD. (A subsidiary of the Trust)
  1. Category: Stallholder Data

Data Controller: Arundel Farmers Market Ltd (a subsidiary of the Trust)

Data Processor(s): Arundel Farmers Market and Arun District Council

Data held: Name/ Business Name/Telephone Number/Email Address/Insurance Details/Food & Hygiene Details (where applicable)/Monthly Fees/Bank Account details/

Standing Order details.

Processing Purpose: To maintain a record of current Stallholders, their credentials and the payment of their fees.  Also, to keep Stallholders’ Bank Account details in order to facilitate refunds.

Format: Most of the above data is contained in the Stakeholder’s original Application Form, which is filed in the “Current Stakeholders” folder and updated as necessary (e.g. with changes to contact details, insurance details, etc.). Bank Account details are held on the NatWest computer system. A list of Stakeholders attending each Market, together with a record of Fees Due and Fees Paid, is maintained on the ACT Computer System.

Security: Primarily, only the Farmers Market Director and the Farmers Market Manager have access to any of the above data. However, a list of Stallholders, with Names, Addresses and Products Sold has to be passed to Arun District Council for licensing purposes. 

Retention: When a Stallholder leaves the market, all relevant details are removed and securely destroyed.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

b)   Category: Contractor Data

Data Controller: Arundel Farmers Market Ltd (a subsidiary of the Trust)

Data Processor(s): Arundel Farmers Market Ltd only

Data held: Name/Address/Telephone Number/Email Address/Invoices/Bank Account details

Processing Purpose: To pay the contractors for their work in managing the monthly markets, transporting stalls and setting-up/taking down signs and stalls.

Format: All of the above data is recorded on the ACT Computer System, except that the Bank Account details are held on the NatWest computer system

Security: Only the Farmers Marker Directors have access to this data. Access to the data is controlled by User ID and Password.

Retention: If a Contractor leaves, all personal data is removed and securely destroyed.

Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. ACT SERVICES LTD. (A subsidiary of the Trust)
  1. Category: Reserved Spaces Data

Data Controller: ACT Services Ltd (a subsidiary of the Trust)

Data Processor(s): ACT Services Ltd

Processing Purpose: To enable the collection of fees from persons in the Reserved Parking Spaces Scheme at the Fitzalan Car Park, Arundel.

Format: Most of this data is held on paper in a “Reserved Parking Scheme” folder, but a map of current space allocations and correspondence with Scheme Members (including Invoices) are held on the ACT Computer System.

Security: Only ACT Services’ Directors have access to the folder or the data held on the computer system.  Access to the computer data is controlled by User-ID and Password.

Retention: If a person leaves the Scheme, their details are removed from both the folder and computer system and securely destroyed.

   Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category: Access Licence Data

  Data Controller: ACT Services Ltd (a subsidiary of the Trust)

  Data Processor(s): ACT Services Ltd

  Data held: Name/Address/ Annual Fee/Licence Agreement/ Invoices

  Processing Purpose: To enable the collection of fees from persons who have Personal Annual Licences to traverse the Car Park.

  Format: All the above data is held both in a paper folder and the ACT Computer System

  Security: Only ACT Services’ Directors have access to this data. Access to the computer data is controlled by User-ID and Password.

Retention:  If a person declines an Annual Licence, their details are removed from both the folder and the computer system and securely destroyed.

  Lawful Basis for Processing:  LEGITIMATE INTERESTS

  1. Category: VAT Receipt Data 

Data Controller: Arun District Council

Data Processor(s): ACT Services Ltd

  Data held: Name/Address/Car Registration No./Amount Paid/ Amount of VAT

  Processing Purpose: To enable the issue of VAT Receipts to those who hold Annual Passes issued by Arun District Council for the Fitzalan Car Park and request such receipts.

Format: The above data is received by email from Arun District Council and loaded into the ACT Computer System in order to produce a VAT Receipt

  Security: Only ACT Services’ Directors have access to this data, which is deleted as soon as a VAT Receipt has been produced and despatched.

  Retention: Data will be securely destroyed at the end of the next Accounting Period.

  Lawful Basis for Processing:  LEGITIMATE INTERESTS