What information do we collect about you?
We collect information about you when you complete relevant forms for us, including rider/vaulter/non riding activities application form and the volunteer application form.
How will we use the information about you?
We will not disclose any information about you to any third party other than Riding for the Disabled Association or Pony Club UK, or if required to do so by law.
You have the right to request a copy of the information that we hold about you.
Once you are no longer involved with the Wormwood Scrubs Pony Centre we will securely retain your data for 3 years.
May 14, 2018
Data Protection Policy
Purpose and Background
The WSPC holds information about riders, volunteers and other people involved with our activities. The Wormwood Scrubs Pony Centre has a responsibility to look after this information properly, and to comply with the Data Protection Act. The UK Act will be replaced by the EU General Data Protection Regulation (GDPR) from 25th May 2018. It is likely that the GDPR will continue to form the basis of our Data Protection legislation, even once the UK has left the EU, so it is fully taken into account in this policy.
Good Data Protection practice is not just a matter of legal compliance and ticking the boxes. Data Protection is about taking care of people and respecting their privacy. Poor practice or a serious breach could not only harm individuals but would also have a serious effect on the reputation of the Wormwood Scrubs Pony Centre as a whole.
This policy applies to information relating to identifiable individuals which is held by the Wormwood Scrubs Pony Centre.
Our legal basis for using people’s data
Everything we do with records about individuals – obtaining the information, storing it, using it, sharing it, even deleting it – will have an acceptable legal basis. There are six of these:
Consent from the individual (or someone authorised to consent on their behalf).
1. Where it is necessary in connection with a contract between Wormwood Scrubs Pony Centre and the individual.
2. Where it is necessary because of a legal obligation – if the law says you must, you must.
3. Where it is necessary in an emergency, to protect an individual’s ‘vital interests’.
4. Where it involves the exercise of a public function – i.e. most activities of most government, local government and other public bodies.
5. Where it is necessary in our legitimate interests, as long as these are not outweighed by the interests of the individual.
6. Where we are basing our processing on consent we will be able to ‘demonstrate’ that we hold consent. This means having a record of who gave consent, when they gave it, how they gave it (e.g. on the website, on a form, verbally) and what they actually consented to.
In the case of legitimate interests we will do a balancing test, and be confident that our legitimate interests in using the data in a particular way – for example in providing our services or raising funds to support them – are not over-ridden by the interests of the individual.
There are additional considerations where we are holding information about people’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and also genetic data or biometric data, health data or data concerning their sex life or sexual orientation. We will legitimise the use of any of these categories of data by having the individual’s explicit consent.
Data Protection Principles
Data Protection compliance is based largely on a set of Principles.
The six GDPR Principles say that:
1. Whatever you do with people’s information has to be fair and legal. This includes making sure that they know what you are doing with the information about them.
2. When you obtain information you must be clear why you are obtaining it, and must then use it only for the original purpose(s).
3. You must hold the right information for your purposes: it must be adequate, relevant and limited to what is necessary.
4. Your information must be accurate and, where necessary, up to date.
5. You must not hold information longer than necessary.
6. You must have appropriate security to prevent your information being lost, damaged, or getting into the wrong hands.
Our policy sections below reflect each of these principles in a bit more detail.
Transparency & purposes (first and second Principles)
We will make key information available to people at the time we collect information from them. This includes:
the identity and contact details of Wormwood Scrubs Pony Centre and the person who is responsible for Data Protection;
the purposes we intend to use the data for and our ‘legal basis’ for this (see above); what we regard as our ‘legitimate interests’, if this is our basis for processing;
any specific recipients of the data (e.g. WSPC RDA/PonyClubUK) or categories of recipients.
Other information will be made available where relevant. This includes:
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
details of the individual’s rights, such as to request a copy of all the data held;
the right to withdraw consent if that is the legal basis for processing (but not retrospectively);
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
In both cases, we will only tell people things they won’t already know. When a rider joins Wormwood Scrubs Pony Centre they or their parent/guardian/school know that we will keep a record about them and their activities with us. When a volunteer comes along it’s the same. We will therefore tell them anything that may not be entirely obvious to them. This could include things like:
The fact that Wormwood Scrubs Pony Centre is a member of Riding for the Disabled Association and a branch of Pony Club UK means that limited data may be passed onto RDA or Pony Club. We will reassure people that data is anonymous when analysed on Tracker by RDA.
Any direct marketing that we may want to carry out (see below), or any additional purpose(s) that we might use the data for – publicity, perhaps. (‘Data’ can include photos, videos, CCTV, audio recordings, etc, not just written records.)
One explicit right that people have is to stop us sending them marketing material (by post, phone, email or text) if they don’t want it. When we collect information from people that might be used for marketing we will say so at the time and ask them if they are happy to hear from us. The wording will be along the lines of: “We would like to keep you up to date with information about Wormwood Scrubs Pony Centre opportunities and events and how you can support us. Please tick here to indicate which method(s) you are happy for us to use:
Mail o, Phone o, Email o, Text o”
These rules are only for marketing. They do not stop us from contacting people in whatever is the most convenient way to give them information about things they have already signed up to, or for other administrative purposes.
Data quality, record keeping and retention (third, fourth and fifth principles)
Our activities will be more effective and appropriate if we have good quality records about the people we are working for and with. GDPR insists on this. We will ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can make it and – where necessary – kept as up to date as possible. We will not keep it longer than necessary.
We will remind our staff and volunteers that the individual concerned has the right to see all the information recorded about them by the Wormwood Scrubs Pony Centre. While Data Protection concerns should never prevent us from recording the information we believe we need (especially in cases relating to safeguarding or other serious misbehaviour), being over-casual, rude or injudicious in an email could easily cause a major crisis for the Wormwood Scrubs Pony Centre, and even the wider RDA/Pony Club UK. This can be a useful discipline in deciding what to record and how to record it.
The Wormwood Scrubs Pony Centre will also have a clear policy on how long to keep information. We will draw up a retention schedule, taking each type of record we hold and specifying how long we normally keep it, and our justification for this. We will set up a process for ensuring that data is deleted or destroyed routinely at the appropriate time.
Security (sixth principle)
We will take good care of the information we hold, whether on computer or on paper, and make sure that we have provided guidance and training to our staff and volunteers so that they treat the information appropriately.
In particular we will think about the risks when data is ‘in transit’ – either on portable devices or when it is being sent out. For example: If people are using their personal phone, laptop, camera or other device for our group’s purposes there will be clear expectations of how they should be secured.
When sending information, particularly by email, we will take steps to prevent confidential information being sent to the wrong person. For example, by using password-protected documents and sending the password in a separate email.
We will also take care not to disclose people’s email addresses or other information inappropriately by carelessly copying in a large number of people or forwarding an email that has been copied widely. Information on paper will not be left lying around, and will only be taken out of a secure location when this is really necessary.
Where information is processed for us externally (for example by RDA/Pony Club UK) we will expect the external organisation to be able to give us satisfactory guarantees about the security measures they take.
Responsibility for compliance with Data Protection lies with the Wormwood Scrubs Pony Centre, not with any specific individual. The Trustees as a whole body will be responsible to keep up to date with any developments, to check that we are complying and have the evidence to prove it, to give advice to staff and volunteers and to handle any issues such as a data breach or a Subject Access Request. The WSPC Trustees have designate someone to be the lead person.
Wormwood Scrubs Pony Centre will notify RDA/Pony Club UK National Office in the event of a serious issue eg a data breach.
When we work in collaboration with other organisations we will sort out clearly (and in writing) who is responsible for what, in order that there are no Data Protection gaps.
If we engage external suppliers to handle data for us in any way, our contract will set out their responsibilities to handle data in a way that will not cause us to be in breach.
The individual WSPC Trustee currently designated is: Janice Gardner Date 12th May 2018
We endeavour to ensure that:
making a complaint is as easy as possible;
we treat a complaint as a clear expression of dissatisfaction with our service which calls for a response;
we treat it seriously whether it is made in person, by telephone, by letter, or by email;
we deal with it promptly, politely and where appropriate, informally (for example, by telephone or in person);
we respond in the right way – for example, with an explanation, or an apology where we have got things wrong, or information on any action taken etc;
we learn from complaints and use them to improve our service.
How to make a complaint
You can make a complaint by writing, e-mail, telephone or in person (by appointment please).
If you are writing your complaint, please provide your telephone number if a response by telephone would be convenient.
If you are e-mailing, please state if a reply by telephone is acceptable or if a response by e-mail is required, if not, please provide your full postal address.
Contact details for complaints:
The Wormwood Scrubs Pony Centre
30 Sunningdale Avenue
Tel. 07864 839296
What happens next?
We will reply within 15 working days from when we receive your complaint. If it is not possible to give you a full reply within this time, for example, if your complaint requires more detailed investigation, we will give you an interim response telling you what is being done to deal with your complaint, when you can expect the full reply and from whom.
The full reply will include details of who to contact next if you believe that your complaint has not been dealt with properly. This will normally be the CEO.