Data Protection

With regard to the upcoming General Data Protection Regulation due to come in to force 25th May 2018 we are reviewing our Data Management.

 

An an outdoor education company we gather and store a fair amount of data on individuals and organisations in the execution of our business. This page is an attempt to lay out what data we store, where we store it, who we share it with and why.

 

The Lupine Adventure Co-operative data protection officer is: Andy Godfrey. e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it. Tel: 0113 410 3712

 

You can contact our data protection officer to request a copy of the data that we hold on you and to request corrections are made as well as deletion and cessation of processing of that data. If you wish to make a complaint you can also direct this to our data protection officer or the Information Commissioners' Office (ICO)

 

In the tables below all data marked as stored on Dropbox is copied on to all staff laptops and backed up onto the Network attached storage. The Network attached storage is backed up onto a removable hard disk which is kept in the house of a director and mirrored (encrypted) onto the network attached storage of another Workers co-op in Leeds

 

Individual clients

What data we store Why we need it Where we store it Who we share it with When is it deleted Other information

Consent form Information
This varies between under 18's and over 18's but can consist of name, address, date of birth, medication, medical issues, parents contact details, doctors contact details, dietary preferences, Other family and friends contact details.

Sometimes rather than using our consent forms we simply take copies of a School's consent forms, these may hold additional information.

If we are working under the instruction of a school (i.e. they are responsible for heath and safety and we are merely providing one or more staff then we may receive medical information on the day and do not store it at all.

To ensure we and any instructors working directly with you have contact information and medical information that we / they may require.

To ensure that we are able to consent to emergency medical treatment in the case of under 18's if their parents cannot be contacted.

To enable medical staff to release under 18's to our care after treatment.

Consent forms are scanned in (originals shredded) and stored on Dropbox for up to a year and then archived onto our internet connected network attached storage in our office.

 

Consent form information is shared with the instructor via email.

 

Instructors are obliged to delete information at the end of the event at the latest.

We reserve the right to keep the Encrypted version on the USB drive indefinitely. However, In practice each year we scan these USB drives and we delete consent forms that we feel we no longer need using the following policy.

Adult only courses - consents over 5 years old are deleted.

Courses that involved young people as participants - We make an educated guess at the age of the youngest person (scout groups 10, Gold DofE 16, silver Dofe 14 etc. then count the years up to 18 and then add 5. We then delete forms when this period has passed.

If we were to have had a medical emergency we may elect to keep consent forms for longer.

 

Photos.

Photo consent is requested on consent forms. Some people cross out that clause as is invited in which case photos are not collected at all. If we are using another organisation's consent forms then no photographic consent is assumed to have been given.

We take pictures for social media release and for use in our promotions.

 

An internet connected Network attached storage.

 

Posted on Social Media, used on our website and other promotions.

 

Not deleted routinely.

 

 

Accident Reports

Personal information and details of incidents on accident reports.

Records need to be kept of first aid incidents and how they were responded to.

 

Dropbox for up to a year and then archived onto our internet connected network attached storage in our office.

 

Accident reports involving the DofE are shared with the AAP unit of the DofE.

The health and safety executive view our accident records but do not take copies.

Our insurance company request information regarding accident.

These are deleted on the same cycle as the consent forms.

 

 

Emails

Email addresses and personal information contained in emails.

To organise events we contact most clients by email.

 

Emails are stored on our ISP email servers and our laptops.

 

Employees of the company and freelancers are sometimes forwarded relevant information via email.

 

Not deleted routinely.

 

All access to our email servers is via SSL connections.

 

DofE Green Forms

Name, e-dofe number, Date of Birth, location of campsites visited on expedition.

The DofE need to record who has attended courses.

 

Green Form Information is stored on dropbox and then archived on internet connected Network attached storage.

 

 The DofE regional offices and DofE assessors.

 

 Not deleted routinely.

 

 

DofE assessor reports

Name, e-dofe number, details of their expedition.

If assessor reports are not saved correctly on e-DofE then participants come back to us for copies.

 

On dropbox and then archived on internet connected Network attached storage.

 

 e-dofe. Contents of forms is uploaded onto E-dofe.

 

 Not deleted routinely.

 

 

 

Schools and other organisations

 

What Data we store Why we need it Where we store it Who we share it with When is it deleted Other information

Schools Database

School Name and address, DofE contact, Phone number, email, location of school, date last contacted, brief notes on what contact has been had previously.

 

We contact schools to let them know about our services.

 

Network attached storage.

 

No one.

 

Not routinely deleted.

 

 

Email list

Email address, recipient name. The software also records who has read the emails sent

We have a DofE professionals email list that we email up to 5 times a year.

 

It is a component of our website.

 

No one.

 

Not routinely deleted.

 

The website has an SSL certificate. People can un-subscribe to individual lists or the whole site. We have a double opt in system but also add people who request to be added via the consent forms.

 

Emails

Email addresses and personal information contained in emails.

To organise events we contact most clients by email.

 

Emails are stored on our ISP email servers and our laptops.

 

Employees of the company and freelancers are sometimes forwarded relevant information via email.

 

Not deleted routinely.

 

All access to our email servers is via SSL connections.

 

           
           
           

 Employees

 

What Data we store Why we need it Where we store it Who we share it with When is it deleted Other information
Photos

We take pictures for social media release and for use in our promotions.

 

An internet connected Network attached storage.

 

Posted on Social Media, used on our website and other promotions.

 

Not deleted routinely.

 

 
Bank details

To pay wages and expenses.

 

In the Co-op bank online banking.

 

The Co-op bank.

 

Not deleted routinely.

 

 

Emails

Email addresses and personal information contained in emails.

To communicate with staff.

 

Emails are stored on our ISP email servers and our laptops.

 

Employees of the company and freelancers are sometimes sent information by group email thus sharing the information and each others email addresses so that all can respond.

 

Not deleted routinely.

 

All access to our email servers is via SSL connections.

 

Details of criminal records

Safeguarding and vetting.

 

An internet connected Network attached storage.

 

No one.

 

Deleted when no longer working for the co-operative.

 

DBS's are not stored but in the event of offenses showing up the information is copied into a file and notes attached detailing if we feel that any of the offences have any bearing on the suitability of the person to work with young people.

 

Qualifications overview and personal details

We have a deployment matrix which contains

Name, Telephone, email, qualifications held, first aid expiry, DBS status (with a tick box if offences are recorded on it) vehicle insurance expiry, home town, driving license details

To ensure that we have up-to-date records of qualifications and contact information at a glance.

 

Dropbox.

 

No one.

 

Not routinely deleted.

 

The excel file is also password protected for a little extra security.

 

Annual reviews

To identify training needs and check on our performance.

 

Dropbox.

 

No one.

 

Not routinely deleted.

 

 

PAYE info

National insurance number, tax code, pay amounts, tax and NI paid, Home address, Date of birth

To calculate pay.

 

Dropbox and on laptops.

 

HMRC.

 

Not routinely deleted.

 

Information is kept within HMRC basic PAYE tools.

 

Copies of qualifications

To prove that staff have the relevant qualifications.

 

An internet connected Network attached storage.

 

Clients (on request).

 

Not routinely deleted.

 

We only pass on qualifications and do not pass on DBS information or ID such as drivers licenses.

 

Copies of ID

Passport, driving license

To prove that we have ascertained the Identity of staff.

 

An internet connected Network attached storage.

 

No One.

 

Not routinely deleted.

 

If staff have been asked to bring ID to a job but forget then we can pass this on with the consent of the member of staff.

 

Green Form Data

Name and Telephone number

The DofE want contact details of supervisors and assessors on Jobs.

 

Drop box then archived to an internet connected network storage device.

 

The DofE.

Schools will receive a copy.

Not routinely deleted.

 

 

 

Freelancer outdoor professionals

 

What Data we store Why we need it Where we store it Who we share it with When is it deleted Other information
Photos

We take pictures for social media release and for use in our promotions.

 

An internet connected Network attached storage.

 

Posted on Social Media, used on our website and other promotions.

 

Not deleted routinely.

 

 
Bank details

To pay invoices.

 

In the Co-op bank online banking.

 

The Co-op bank.

 

Not deleted routinely.

 

 

Emails

Email addresses and personal information contained in emails.

To communicate with staff.

 

Emails are stored on our ISP email servers and our laptops.

 

Employees of the company and freelancers are sometimes sent information by group email thus sharing the information and each others email addresses so that all can respond.

 

Not deleted routinely.

 

All access to our email servers is via SSL connections.

 

Details of criminal records.

 

Safeguarding and vetting.

 

An internet connected Network attached storage.

No one.

 

Deleted when no longer working for the co-operative.

 

DBS's are not stored but in the event of offenses showing up the information is copied into a file and notes attached detailing if we feel that any of the offences have any bearing on the suitability of the person to work with young people.

 

Qualifications overview and personal details

We have a deployment matrix which contains

Name, Telephone, email, qualifications held, first aid expiry, DBS status (with a tick box if offences are recorded on it) vehicle insurance expiry, home town, driving license details

To ensure that we have up-to-date records of qualifications and contact information at a glance.

 

Dropbox.

 

No one.

 

Not routinely deleted.

 

The excel file is also password protected for a little extra security.

 

Reviews of work

Brief details of work done, strengths and weaknesses, if we feel that there should be deployment restrictions.

To ensure we place suitable staff on jobs.

 

Internet attached network storage.

 

No one.

 

Not routinely deleted.

 

 

Invoices and amounts paid

To ensure we pay the right amount and can show HMRC where our money has gone if requested.

 

Dropbox and archived to internet connected network storage.

 

HMRC and our accountant.

 

Not routinely deleted.

 

 
Copies of qualifications

To prove that staff have the relevant qualifications.

 

An internet connected Network attached storage.

 Clients (on request).

 

Not routinely deleted.

 

We only pass on qualifications and do not pass on DBS information or ID such as drivers licenses.

 

Copies of ID

Passport, driving license

To prove that we have ascertained the identity of staff.

 

An internet connected Network attached storage.

 

No one.

 

Not routinely deleted.

 

If staff have been asked to bring ID to a job but forget then we can pass this on with the consent of the member of staff

Green Form Data

Name and Telephone number

The DofE want contact details of supervisors and assessors on Jobs.

 

Drop box then archived to an internet connected network storage devise.

 

The DofE.

Schools will receive a copy.

Not routinely deleted.

 

 
e-max.it: your social media marketing partner