Pacesetter Sports & Wellbeing (Pacesetter) collects and uses certain types of information about the Individuals or Service Users who come into contact with us in order to carry out our work. Such data is collected from employees, customers (parents/schools), suppliers and clients and includes (but is not limited to), name, address, email address, date of birth, medical conditions, contact numbers, ip address, private and confidential information, sensitive information and bank details. This personal information must be collected and dealt with appropriately whether it is collected on paper, stored in a computer database, or recorded on other material. There are safeguards to ensure this complies with The EU General Data Protection Regulation coming into effect from May 2018. To ensure regular monitoring the Data Protection Officer (DPO) is currently Nick Schanschieff.
Data storage and online management (online and on paper)
If a parent or guardian wishes their child to be part of a ‘parent’ related Pacesetter club they need to register their personal details along with their child/ren’s details. A parent/guardian will set up their own account with a username and secure password. Their account will include ‘parent’ names, telephone number, child/ren’s name/s, date of birth, school, year group and any special needs/medical conditions. These details are essential and forms part of our safeguarding systems. They then have the freedom to book clubs, restricted to their own school during term time and any of Pacesetter’s Holiday Clubs. They also have the freedom to purchase other merchandise and sports equipment as they wish.
It is Pacesetter’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party. All company laptops will be restored to factory settings as soon as a staff member leaves.
All staff will adhere to these Principles of Data Storage, as detailed in the GDPR.
- The only third party that Pacesetter work with in relation to data management is their website provider and booking system developers, Amaven. They designed both the website and booking system and manage any issues relating to both of these. They have secure login details that are unique to them and they comply with GDPR.
- Information and records relating to customers/parents/guardians will be stored securely and will only be accessible to authorised Pacesetter staff. E.g To access and manage parents and children’s details online. To do this a username and password is needed for each coach. This will be unique to them and should ensure that the password is unique to each individual. In the office all staff members have the same level of access to this secure data.
- In no circumstances will Pacesetter staff share details of children between other parents or third parties. Account Managers (Account is referred to as meaning a ‘school’) will confirm details of children to schools via registers (names only). These will only be the schools that the children attend and no other school, organisation or third party. The school will hold all of the same information and this is done for safeguarding purposes. Therefore, Pacesetter and the school work together as a partnership and we are not ‘sharing data’ but ‘confirming the same data’.
- Staff will not, in most circumstances set up an account for a ‘parent/guardian’. This is in order that all parents review our Terms & Conditions. Terms & Conditions are transparent, concise and explain that ‘no data is shared with any other third party’. The only exception will be if a parent is unable, for any reason to register and manage bookings online and therefore Pacesetter will assist the parent/guardian. The parent will need to give consent, through filling in and signing a Pacesetter ‘course booking form’. Data will be communicated with the children’s own school in order that the school can be kept up to date with registers and therefore for safeguarding purposes. Schools may want to book ‘Pupil Premium’ or other children onto our clubs. These children are funded via a school and therefore need to be registered by Pacesetter. We will receive all the relevant information needed from the school.
- Staff are able to communicate with parents via phone, text or email but for the sole purpose relating to their school or club. In no circumstances do we ever push customers. Our communications are informative and sent with the interests of the children/adults on our courses and in most cases updating information about Pacesetter. Generic communication terminology is available within our office for all staff to use. Therefore we are being consistent and transparent with both parents/guardians and our staff.
- In some cases parents will ‘initialise’ an order. This means that they have registered an interest in a club or clubs but not checked out, therefore not confirmed the space or paid for it. In this instance a coach will send a message to inform them in case they think they have booked on.
- Pacesetter uses a secure login and information regarding children and adults within Office 365. A secure login and password is used. From time to time Pacesetter uses children’s names for evaluation purposes and this is shared with the relevant school. Once used these are then shredded.
- Injury/bullying/safeguarding forms are filled in, signed and shared with the related school. These will be filed for 3 years and then shredded. This will never be shared with a third party unless it’s a safeguarding matter. In this instance if it happens during school hours details will be shared with the relevant SENCO of the school. If this happens outside of school hours or on our holiday clubs then we would deal with MASH (See Safeguarding Policy). The file for Injury/bullying/safeguarding is left in a secure place in the office. We can confirm all details with the related school.
- Suppliers records are filed securely and kept for a period of 6 years. No data is shared with a third party, just with the relevant supplier.
- You have the right to request that we delete all of the personal data we have about you. If you would like all this information deleted, please email firstname.lastname@example.org. Please note that your email address will be opted-out of email marketing and held on a suppression list. This is to ensure that if your information were to be re-added in the future, you will remain opted-out of email marketing, unless you physically opt back in. Please allow up to 30 days for removal of information.
Card/Account details and payments
Pacesetter never store card details online after the transaction. It is very important that the management and control of information received in respect of card details at Pacesetter applies to all members that handle card payment data and any other data that is associated to legislation e.g. GDPR.
Pacesetter must follow these processes:
- Where card details are provided during a telephone call, coaches cannot write these down but must load online while speaking to the customer on the telephone.
- Transactions will only be taken within the office on an office telephone.
- If for any reason the coach is not able to complete the transaction, then a call-back must be arranged.
- When card details are being provided during a telephone call these must not be repeated back to the customer.
- Coaches’ usernames and passwords for Cardsave should never be shared and details kept secure at all times. After a period of inactivity this system times out, and this timeframe is set by Worldpay. Each coach has a unique username and password that requires a capital, lower case, numerics and symbols and is therefore very secure. Passwords are renewed every month. Cardsave (is managed by WorldPay) manage our payment systems that parents pay by online. They have confirmed that they comply with GDPR.
- Unless customers are paying for ‘part paid’ bookings all staff need to try as hard as possible to ensure customers go through the booking system. Paying over the phone should be the last resort in all cases to limit any form of risk.
- Go Cardless, Pacesetter direct debit supplier, stores account details of schools for the purposes of direct debit payments for Pacesetter. The school / organisation agrees to their terms and conditions online. Pacesetter do not store their details. They have signed to confirm that they comply with GDPR. See file for GDPR correspondence.
- On leaving Pacesetter staff usernames and passwords will become obsolete and their profiles are removed.
- Parent consent –There is no sharing of data between Pacesetter and any other third party. Children’s details will be confirmed with the partner school that they attend. This will be for safeguarding purposes and no other reasons (as per section 2).
- The GDPR bans pre-tick opt-in boxes or any other method of default consent and therefore parents must opt in to various ‘extras’ that Pacesetter offer.
- Each year after the 1st August the system automatically moves a child up a year group to ensure data is up to date. At this time an export is carried out in order to extract important data regarding children who can no longer be part of Pacesetter clubs. Pacesetter then delete the child and if applicable the parent to ensure all data is current. Another example is when a child leaves Primary school or moves away from the area, known as the ‘Right to be Forgotten’. This will be completed by 31st August each year.
- Parents/guardians must be responsible for updating important information needed to ensure that data is kept accurate. An email twice a year will be circulated to remind parents to update if necessary.
- Pacesetter will circulate periodically general communication by email with information regarding Pacesetter Term Time and Holiday Clubs. Parents/guardians have the freedom to unsubscribe at any point. Only emails that are supplied within their profile will be used. This is clearly represented in the Terms & Conditions.
- Before 25th May all existing parents/guardians on our database were sent an email explaining the tighter rules around data protection. The Terms & Conditions were also presented to them. This included clearly that they had the freedom to unsubscribe at any point.
- During Pacesetter Holiday Programmes any photos taken will have had an accompanied photo consent form filled in and only be used for social media purposes. These photos will then be deleted from the device immediately.
- From time to time Pacesetter will approach potential new schools that we have never worked with. If schools appear on the TPS (Telephone Preference Service), we cannot contact. Emails are acceptable if they are for a ‘legitimate interest’ and emails are sent to a generic email address. An opt out, unsubscribe option will be available on these emails.
Working with Third Parties
- Pacesetter works third parties in relation to the management of their online system and sensitive data roles. Northamptonshire County Council (NCC) manage online referral forms. Initially given by the associated school and managed by NCC. NCC have secure systems in place regarding logins and passwords (all of their form submissions are restricted by permissions). They also have to confirm they agree to the sensitivity of the information and will manage online with GDPR guidelines. Please see NCC’s GDPR Policy: www3.northamptonshire.gov.uk/councilservices/council-and-democracy/transparency/information-policies/Pages/privacy-notice.aspx
- Pacesetter works with, from time to time, a number of charities and voluntary organisations. Presently they are working with Northamptonshire Community Foundation (NCF) in delivering Wellbeing to schools. The University of Northampton are involved in the evaluation. Both NCF and the University will sign disclaimers in relation to the sensitivity of data (only children’s names are used). Please see NCF’s/University’s GDPR Policy.
- Pacesetter works with adults on their Youth Mental Health First Aid (MHFA) programmes designed for adults in schools. The candidates sign forms which explain that their details will only be shared between Pacesetter and MHFA England. They have signed to confirm that they comply with GDPR. MHFA England GDPR Policy is stored in the office.
- The only other time that Pacesetter will work with a third party is reporting such matters as a Safeguarding incident. This will ONLY be if the course / programme is being run outside of school hours e.g. holiday programme (See separate Safeguarding policy). Any safeguarding issue during term time will be managed with the partner school in the first instance.
- Pacesetter uses a database known as HubSpot and is a customer relationship management (CRM) database. We use this for all public and private sector contacts (mainly schools in the education sector), as well as parents and direct bookers. Staff have secure login details that are unique to them and our GDPR Policy is kept in the office. They have also signed to confirm that they comply with GDPR.
Data Breach & Disaster Response
The GDPR mandates that organisations take various measures to protect personal data from security breaches. Article 4 of the act describes a breach as any incident that leads to the loss, deletion, modification, or unauthorized disclosure of data.
Our data could be compromised in the following ways
- Data is compromised to our parent/child database e.g Amaven or HubSpot
- Data is compromised to our staff database via third parties e.g NEST Pensions, Stanley Yule Payroll, Bright HR.
- Staff lose their registers or any other information with personal data on (hard copies are needed for safeguarding reasons).
Breaches need to be reported to the Information Commissioners Office (ICO) within 72 hours via the DPO with the following information :
- Details of the breach, including nature of incident and approximate numbers of individuals effected;
- Likely repercussions of the breach;
- Measures to resolve or mitigate the effects of the breach
- Name and contact information of the organisation’s (DPO) or contact person.
You have a right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please email email@example.com. Email address that have been opted-out of marketing communications, will be retained in a ‘suppression list’ for the purpose of ensuring they do not receive further emails and that your preferences are respected in the future.
- When you browse the website or make a purchase, we may automatically collect information about your visit by using cookies. This information may include your device type, browser, IP address, how you came to the website or how you interacted with the website. This information may be used to monitor or improve website performance.
- Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
- For further information visit www.aboutcookies.org or www.allaboutcookies.org.
- You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However in a few cases some of our website features may not function as a result.