the Sing and Sign website Enquiry Submission Form,
Book My Class Registration Process,
Printed Class Registers,
Phone Calls, text messages,
Social Communication including Facebook Messaging and WhatsApp,
Printed GDPR Consent Forms for Summer Term 2018 participants,
Signing in sheets at Tasters and public events.
TheData Protection Act 1998
AtSing and Sign Cambridge we look after your details carefully. Weadhere to the requirements of the UK Data Protection Act 1998 and wehave measures to comply with the new GDPR policy, in force from 25thMay 2018.
Useof Personal Information
Singand Sign Cambridge collects data under the Legal Basis of“Performance of a contract to which the data subject is party, orto take steps prior to the entering into a contract at the request ofthe data subject.” as well as “Consent” of the data subject.Personal information provided to Sing and Sign Cambridge via ourwebsite enquiries form, booking site, emails, class registers,telephone contact and social media including calls, text messages,Facebook and WhatsApp, consent forms and signing in sheets will beused for the purposes outlined below.
Administering a space on one of our Sing and Sign courses
Communicating supporting resources for our Sing and Sign courses
Fulfilment of orders for Sing and Sign Resources requested by the data subject including Online Membership
Communication about forthcoming events and offers including Charitable fundraising
Communication pertaining to future Sing and Sign Resource Orders and future Sing and Sign course bookings which would be of direct interest to the data subject
Using social apps such as WhatsApp to enabling a social network between Sing and Sign attendees with the specific consent of each data subject
Processing personal data for the above purposes may entail sharing your information with employees and colleagues of Sing and Sign Cambridge within the Sing and Sign franchise. Agreements exist between Sing and Sign Cambridge and such parties that there must be no further disclosure of such personal data.
We will never share your data with third parties.
Useof Data and Opting - In
Duringyour time with Sing and Sign Cambridge, we will make contact with youvia the means listed above in the following ways:
Wewill send you communications relating to your Sing and Sign course asfollows:
Booking In Offer Emails and Payment Reminders
Pre-Term Welcome Emails and invitations to subscribe to our Online Membership
Handouts by email directly relating to the content of our signing curriculum
Invitations by email to join our Termly Class Order for Sing and Sign Resources and payment reminders where appropriate
Future Term Booking notice by email and payment reminders where appropriate
News, reminders, updates
Urgent changes to session times/parking issues/venues etc.
Fundraising appeals once or twice a year to current class participants
Social stories/shared articles relating to our work
By booking a place, you are entering into a contract with us, and as part of this we will email you information directly relating to your class, thereby fulfilling our obligations to you (for example, letting you know if a class is cancelled, a change of class time, giving you priority to rebook etc.). By "Opting In" you are agreeing for us to also contact you with ongoing information and offers.
Wedo not pass your details to third parties. Upon finishing yourterm/terms with Sing and Sign Cambridge, correspondence directlyrelating to your classes will cease. We may contact you by emailocassionally with relevant news and offers. Sing and Sign Cambridgewill keep your data for up to 7 years unless it is specificallyrequested to be removed from our systems. If at any time you want toalter your preferences or request that Sing and Sign Cambridge stopcommunication with you then you should contact us as described below.
Byconsenting to join our Sing and Sign Cambridge WhatsApp groups youare consenting to the Terms and Conditions provided by WhatsAppincluding the WhatsApp Privacy Policies and we take no responsibilitynor liability for data stored and shared by the WhatsApp company. Byrequesting your telephone number to be stored on a phone belonging tothe franchisee or any employee of Sing and Sign Cambridge, youunderstand that WhatsApp have access to that Contact Numberregardless of whether you join a WhatsApp class group or not. Onceyour Sing and Sign course/s have been completed, staff will/maydelete contact numbers from staff phones at any time during the dataretention period specified above or at the request of the datasubject as specified below.
Accessingyour Personal Data held by Sing and Sign Cambridge.
Youhave the right to ask Sing and Sign Cambridge in writing, for a copyof all the personal data held about you. This is known as a 'datasubject access request'. Upon request, we will collate the datarequested and send it to you within the 30 day maximum period asstipulated by GDPR May 2018.
Pleaseapply in writing to:
Singand Sign Cambridge
Verifying,updating and amending your personal information
Weaim to keep your records as up-to-date as possible. If, at any time,you want to verify, update or amend your personal data or preferencesplease click on the “Update Preferences” link in our emails,contact us in writing at the above address or by email firstname.lastname@example.org
Youcan also opt-out of future communications at any time by clicking theunsubscribe link in our emails, or by writing to the above address orvia email at email@example.com
Pleaseallow up for 10 working days for us to amend your details.
Formore information on GDPR please visit:
Furtherinformation regarding Data Storage and Usage by our Online BookingSystem: provided by “Book My Class”
TheBookMy servers are housed in a datacentre in Sheffield and access tothe physical boxes requires key card access through several sets ofdoors, and a person can only get access to the physical machine ifthey have prior authorisation and are on the allowed list of peoplefor that machine. Servers are connected to a battery UPS which willprovide 3 hours of power should there be an issue. If, after 2 hoursthe power is not restored then there is a diesel generator for thebuilding which will provide unattended power for the next 48 hours.Then it can run indefinitely as long as the diesel is topped up.
Formore information about our hosts and their processes, please go tohttps://www.hahosting.com/sheffielddatacentre
Weback up the data using an offsite backup solution which synchronisesthe backups with the server here at the office, and we keep a rolling7 day backup of all the databases which is taken every day at 3am. Wedo regularly test the backups for integrity, and have restored databack to live databases for clients in the past. The websites which goonline are only ever pre-complied, and source code is never stored onthe servers.
Theservers can only be remotely accessed from Zebranet's office IPaddress, so they cannot be contacted from any computer unless it’sphysically here or connected by VPN. We use non-standard usernamesand 12 digit complex passwords to access the server and only oneaccount has remote access rights to the server again limiting accessoptions further.
Eachof our client's data is all on its own database so that informationisn’t shared with any other applications other than their BookMyinstance. In terms of franchises, the whole franchise network isstored on one database, but only that franchisee's data is presentedto them. In some cases, head office are given access to dashboarddata (number of bookings, class-split, etc.) but they don't haveaccess to clients’ individual records.
Theend user is responsible for ensuring password are secure and notsaved in your browser. We don’t store any customer bank details onthe system. When using PayPal, WorldPay or Stripe, the customer istaken to the merchant's processing page in order to make payment. Oursystem is then sent a success/failure code, so at no point is thecustomer's card details entered into our system.
Ifa user's login was compromised, then the person would only haveaccess to their data and none of the other clients’ databases (orin the case of franchisees, other franchisees’ data).
Zebranetis registered with the ICO as a data controller. This essentiallymeans we hold the data entered into the booking systems, but we don'tdo anything with it, other than back it up and restore it asrequired.
Anydeleted customer’s data will remain on our servers until the backupcycle is finished (7 days). That data won't be accessible from thebooking system, only in the case of a data restore.
TherelevantICO register entry canbe seen athttps://ico.org.uk/ESDWebPages/Entry/ZA316805