the Sing and Sign website Enquiry Submission Form,
Book My Class Registration Process,
Printed Class Registers,
Phone Calls, text messages,
Social Communication including Facebook Messaging and WhatsApp,
Printed GDPR Consent Forms for Summer Term 2018 participants,
Signing in sheets at Tasters and public events.
The Data Protection Act 1998
At Sing and Sign Cambridge we look after your details carefully. We adhere to the requirements of the UK Data Protection Act 1998 and we have measures to comply with the new GDPR policy, in force from 25th May 2018.
Use of Personal Information
Sing and Sign Cambridge collects data under the Legal Basis of “Performance of a contract to which the data subject is party, or to take steps prior to the entering into a contract at the request of the data subject.” as well as “Consent” of the data subject. Personal information provided to Sing and Sign Cambridge via our website enquiries form, booking site, emails, class registers, telephone contact and social media including calls, text messages, Facebook and WhatsApp, consent forms and signing in sheets will be used for the purposes outlined below.
Administering a space on one of our Sing and Sign courses
Communicating supporting resources for our Sing and Sign courses
Fulfilment of orders for Sing and Sign Resources requested by the data subject including Online Membership
Communication about forthcoming events and offers including Charitable fundraising
Communication pertaining to future Sing and Sign Resource Orders and future Sing and Sign course bookings which would be of direct interest to the data subject
Using social apps such as WhatsApp to enabling a social network between Sing and Sign attendees with the specific consent of each data subject
Processing personal data for the above purposes may entail sharing your information with employees and colleagues of Sing and Sign Cambridge within the Sing and Sign franchise. Agreements exist between Sing and Sign Cambridge and such parties that there must be no further disclosure of such personal data.
We will never share your data with third parties.
Use of Data and Opting - In
During your time with Sing and Sign Cambridge, we will make contact with you via the means listed above in the following ways:
We will send you communications relating to your Sing and Sign course as follows:
Booking In Offer Emails and Payment Reminders
Pre-Term Welcome Emails and invitations to subscribe to our Online Membership
Handouts by email directly relating to the content of our signing curriculum
Invitations by email to join our Termly Class Order for Sing and Sign Resources and payment reminders where appropriate
Future Term Booking notice by email and payment reminders where appropriate
News, reminders, updates
Urgent changes to session times/parking issues/venues etc.
Fundraising appeals once or twice a year to current class participants
Social stories/shared articles relating to our work
By booking a place, you are entering into a contract with us, and as part of this we will email you information directly relating to your class, thereby fulfilling our obligations to you (for example, letting you know if a class is cancelled, a change of class time, giving you priority to rebook etc.). By "Opting In" you are agreeing for us to also contact you with ongoing information and offers.
We do not pass your details to third parties. Upon finishing your term/terms with Sing and Sign Cambridge, correspondence directly relating to your classes will cease. We may contact you by email ocassionally with relevant news and offers. Sing and Sign Cambridge will keep your data for up to 7 years unless it is specifically requested to be removed from our systems. If at any time you want to alter your preferences or request that Sing and Sign Cambridge stop communication with you then you should contact us as described below.
By consenting to join our Sing and Sign Cambridge WhatsApp groups you are consenting to the Terms and Conditions provided by WhatsApp including the WhatsApp Privacy Policies and we take no responsibility nor liability for data stored and shared by the WhatsApp company. By requesting your telephone number to be stored on a phone belonging to the franchisee or any employee of Sing and Sign Cambridge, you understand that WhatsApp have access to that Contact Number regardless of whether you join a WhatsApp class group or not. Once your Sing and Sign course/s have been completed, staff will/may delete contact numbers from staff phones at any time during the data retention period specified above or at the request of the data subject as specified below.
Accessing your Personal Data held by Sing and Sign Cambridge.
You have the right to ask Sing and Sign Cambridge in writing, for a copy of all the personal data held about you. This is known as a 'data subject access request'. Upon request, we will collate the data requested and send it to you within the 30 day maximum period as stipulated by GDPR May 2018.
Please apply in writing to:
Sing and Sign Cambridge
7 Fanshawe Road
Verifying, updating and amending your personal information
We aim to keep your records as up-to-date as possible. If, at any time, you want to verify, update or amend your personal data or preferences please click on the “Update Preferences” link in our emails, contact us in writing at the above address or by email at firstname.lastname@example.org
You can also opt-out of future communications at any time by clicking the unsubscribe link in our emails, or by writing to the above address or via email at email@example.com
Please allow up for 10 working days for us to amend your details.
For more information on GDPR please visit:
Further information regarding Data Storage and Usage by our Online Booking System: provided by “Book My Class”
The BookMy servers are housed in a datacentre in Sheffield and access to the physical boxes requires key card access through several sets of doors, and a person can only get access to the physical machine if they have prior authorisation and are on the allowed list of people for that machine. Servers are connected to a battery UPS which will provide 3 hours of power should there be an issue. If, after 2 hours the power is not restored then there is a diesel generator for the building which will provide unattended power for the next 48 hours. Then it can run indefinitely as long as the diesel is topped up.
For more information about our hosts and their processes, please go to https://www.hahosting.com/sheffielddatacentre
We back up the data using an offsite backup solution which synchronises the backups with the server here at the office, and we keep a rolling 7 day backup of all the databases which is taken every day at 3am. We do regularly test the backups for integrity, and have restored data back to live databases for clients in the past. The websites which go online are only ever pre-complied, and source code is never stored on the servers.
The servers can only be remotely accessed from Zebranet's office IP address, so they cannot be contacted from any computer unless it’s physically here or connected by VPN. We use non-standard usernames and 12 digit complex passwords to access the server and only one account has remote access rights to the server again limiting access options further.
Each of our client's data is all on its own database so that information isn’t shared with any other applications other than their BookMy instance. In terms of franchises, the whole franchise network is stored on one database, but only that franchisee's data is presented to them. In some cases, head office are given access to dashboard data (number of bookings, class-split, etc.) but they don't have access to clients’ individual records.
The end user is responsible for ensuring password are secure and not saved in your browser. We don’t store any customer bank details on the system. When using PayPal, WorldPay or Stripe, the customer is taken to the merchant's processing page in order to make payment. Our system is then sent a success/failure code, so at no point is the customer's card details entered into our system.
If a user's login was compromised, then the person would only have access to their data and none of the other clients’ databases (or in the case of franchisees, other franchisees’ data).
Zebranet is registered with the ICO as a data controller. This essentially means we hold the data entered into the booking systems, but we don't do anything with it, other than back it up and restore it as required.
Any deleted customer’s data will remain on our servers until the backup cycle is finished (7 days). That data won't be accessible from the booking system, only in the case of a data restore.
The relevant ICO register entry can be seen at https://ico.org.uk/ESDWebPages/Entry/ZA316805