Privacy Policy
Overview
Every day, Lift Lessons may be in a position to receive, process and store personal information about people that use our sites. It is important that this information is handled lawfully and appropriately as required by data protection law including the General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Rule (COPPA).
We take our data protection duties seriously, because we respect the trust that is being placed in us to use personal information appropriately and responsibly.
Policy
This policy, and any other documents referred to in it, sets out the basis on which we will process any personal data we collect or process.
This policy does not form part of any contract or terms of service for use of our system and may be amended at any time.
The Data Protection Officer is responsible for ensuring compliance with the Data Protection Requirements and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Officer or reported in line with the organisation’s Grievance Policy.
This statement explains how Lift Lessons handles and uses personal data we collect about staff and our users. Where in this statement we refer to ‘we’ or ‘our’ or ‘us’ we are referring to Lift Lessons, and where we refer to ‘you’ or ‘your’ we are referring to our users. We are registered with the Information Commissioner's Office (ICO) with registration [ZA734712].
We are committed to protecting your personal information and to being transparent about what information we hold. Lift Lessons understands its obligations to you to help you understand how and why we process your personal data. This notice tells you about these uses and should be read in conjunction with the Lift Lessons Information Security Policy (LL102) policy.
Our data protection policy and procedures are governed by data protection law including the Data Protection Act 2018, the Children’s Online Privacy Protection Rule (COPPA) and, from 25th May 2018, the EU General Data Protection Regulation (GDPR). The law in this area is changing rapidly and we anticipate this statement may be revised in line with guidance from the Information Commissioner’s office.
What is Personal Data
Personal data
Personal Data means data (whether stored electronically or paper based) relating to a living individual who can be identified directly or indirectly from that data (or from that data and other information in our possession).
Processing
Processing is any activity that involves use of personal data. It includes obtaining, recording or holding the data, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.
Sensitive personal data
This includes personal data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, physical or mental health condition, sexual orientation or sexual life. It can also include data about criminal offences or convictions. Sensitive personal data can only be processed under strict conditions, including with the consent of the individual.
Why we hold your personal data
We are required to hold your personal data for contractual obligations, without which we would be unable to provide you with the Lift Lesson service. Holding this data enables us to provide access to the Lift Lessons system as per the contractual obligations when creating an account. We also use your payment details when you need to purchase a new lesson through our platform. This isn’t directly stored on out system as this is processed by a 3rd party company (Stripe).
Lawful basis for processing personal data
The lawful basis for processing the personal data of employees as described in this document is to fulfil a contract with an individual. There is a contractual requirement for you to provide much of the information detailed. Without this we will be unable to fulfil our obligations which could result in the contract terminating.
Data Protection Principles
Anyone processing personal data, must ensure that data is:
Processed fairly, lawfully and in a transparent manner;
Collected for specified, explicit and legitimate purposes and any further processing is
completed for a compatible purpose;
Adequate, relevant and limited to what is necessary for the intended purposes. In particular, it is prohibited from conditioning a child’s participation in an activity on disclosure of more personal information than reasonably necessary to participate in the activity.
Accurate, and where necessary, kept up to date;
Kept in a form which permits identification for no longer than necessary for the intended
purposes;
Processed in line with the individual’s rights and in a manner that ensures appropriate
security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
Not transferred to people or organisations situated in countries without adequate protection and without firstly having advised the individual.
Notifying Individuals
The information we hold about you is primarily information you provided when creating your account, supplemented by information generated when using our system.
The purpose or purposes for which we intend to process that personal data, as well as the legal basis for the processing;
Where we rely upon the legitimate interests of the business to process personal data, the legitimate interests pursued;
The types of third parties, if any, with which we will share or disclose that personal data;
The fact that the business intends to transfer personal data to a non-EEA country or
international organisation and the appropriate and suitable safeguards in place;
How individuals can limit our use and disclosure of their personal data;
Information about the period that their information will be stored or the criteria used to
determine that period;
Their right to request from us as the controller access to and rectification or erasure of
personal data or restriction of processing;
Their right to object to processing and their right to data portability;
Their right to withdraw their consent at any time (if consent was given) without affecting the
lawfulness of the processing before the consent was withdrawn;
The right to lodge a complaint with the Information Commissioners Office;
Other sources where personal data regarding the individual originated from and whether it
came from publicly accessible sources;
Whether the provision of the personal data is a statutory or contractual requirement, or a
requirement necessary to enter into a contract, as well as whether the individual is obliged
to provide the personal data and any consequences of failure to provide the data;
The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such
processing for the individual;
If we receive personal data about an individual from other sources, we will provide them with this information as soon as possible (in addition to telling them about the categories of personal data concerned) but at the latest within 1 month.
Sensitive personal data held by Lift Lessons
We do not store or process any sensitive personal data that is laid out under GDPR or COPPA. If this does change in the future, this Policy will be updated and you will be updated with what sensitive personal data we would need to hold, why we need the data, and how it is stored.
How your Personal Data is processed
In the course of our business, we may collect and process the personal data set out in the LL103. This may include data we receive directly from a data subject (for example, by completing forms or by corresponding with us by mail, phone, email or otherwise) and data we receive from other sources (including, for example, location data, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
We will only process personal data for the specific purposes set out in the NPH103 or for any other purposes specifically permitted by the Data Protection Requirements. We will notify those purposes to the data subject when we first collect the data or as soon as possible thereafter.
Your data is used by us for a number of purposes including but not limited to:
Publications, invitations and other communications;
e-news and flash emails;
internal reporting and record keeping;
Responding to data access requests you make;
issuing references at your request;
Inclusion on the website; or
Marketing, including images, online, in print and on social media (with your consent).
Communications to you may be sent by email or through live chat within our system.
If you have concerns or queries about any of these purposes, or how we communicate with you, please contact the Data Protection Officer. We will always respect a request by you to stop processing your personal data, and in addition your statutory rights are set out below.
Sharing your data with others
Within Lift Lessons, personal data, may be shared between members of staff who legitimately need the information to carry out their normal duties. We endeavour to ensure that personal data is only shared with colleagues or outside companies with your explicit consent such as when you make a payment for a new session.
However, circumstances may arise where this data is shared with colleagues without gaining your consent. This will only occur if it is necessary to protect your vital interests or the vital interests of another person; or for certain other reasons where it is not possible or appropriate to gain your consent such as disclosures to the police for prevention or detection of crime, or to meet statutory obligations relating to equality monitoring.
Lift Lessons may disclose certain personal data to third parties. These external organisations, and the purpose for sharing the information, are set out below.
Otherwise, Lift Lessons does not share data with any third party, except as allowed for in other privacy notices or required by law. We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.
Transfer of personal data to other countries
Where data is shared within the UK, or the European Union (EU), the third party will be required to comply with and safeguard the data under the terms of the DPA and appropriate EU regulations (GDPR). Your personal information will only be transferred to countries, outside of the EU, whose data protection laws have been assessed as adequate by the European Commission, or where adequate safeguards, such as the EU-US Privacy Shield, are in place.
How long data is kept
We will keep your personal data only as long as is necessary for the purpose(s) for which it was collected, and in accordance with our Information Security Policy (LL102) Data will be securely destroyed when no longer required.
Where you exercise your right to erasure, we will carry out your request without delay and be completed within 30 days of the original request. By exercising your right to erasure, you would therefore loose access to the system as your login details and any details linked to your account would be securely destroyed.
Data Security
We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
We have put in place procedures and technologies to maintain the security of all personal data from the point of the determination of the means for processing and point of data collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Confidentiality means that only people who are authorised to use the data can access it.
Integrity means that personal data should be accurate and suitable for the purpose for
which it is processed.
Availability means that authorised users should be able to access the data if they need it for
authorised purposes. Personal data should therefore be stored on PeopleHR instead of individual PCs.
Security Procedures Include:
Entry controls - Any stranger seen in entry-controlled areas should be reported.
Data minimisation
Pseudonymisation and encryption of data.
Methods of disposal - Digital storage devices should be physically destroyed when they are no longer required.
Transferring Personal Data Outside of the EEA
We may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’) or to an international organisation, provided that one of the following conditions applies:
The country to which the personal data are transferred ensures an adequate level of protection for the data subjects’ rights and freedoms;
The data subject has given his consent;
The transfer is necessary for one of the reasons set out in the Act, including the performance
of a contract between us and the data subject, or to protect the vital interests of the data
subject;
The transfer is legally required on important public interest grounds or for the
establishment, exercise or defence of legal claims;
The transfer is authorised by the relevant data protection authority where we have adduced
adequate safeguards with respect to the protection of the data subjects’ privacy, their fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Those staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.
Your rights
You have the following rights:
To Be Informed:
This privacy notice provides the information you are entitled to receive:
Access
Please contact us if you would like confirmation that your data is being processed and access to your personal data. A parent can review their child’s personal information collected by the site.
There is no charge for us providing you with this data and it will be provided within a month of the request (unless the request is unfounded or excessive).
Rectification
Please inform us of any data which you would like rectified and we will usually respond within a month of the request. We will pass on the changes to any third parties who need to change their records and let you know this has been done.
Erasure
You may exercise your right to have your, or your child’s, personal data erased in a number of circumstances (e.g. if the data is no longer necessary in relation to the purpose for which it was created, or you withdraw your consent). Where possible we will comply with all such requests, though some details are part of the Lift Lessons permanent which cannot reasonably be deleted.
Restrict Processing
You can tell us that we can keep your data but must stop processing it, including preventing future mailings and communications. If possible, we will inform any third parties to whom your data has been disclosed of your requirement.
Data Portability
Your data is across manual records and a bespoke Access database. We will do our best to provide information in a portable format, but it is unlikely that we can create systems to do so.
To Object
If we can, we will stop processing your data, or your child’s data, if you object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling). We will stop processing your data, or your child’s data, for direct marketing if you tell us to. We will stop processing your data, or your child’s data, if you object to processing for purposes of research and statistics.
You have the option to consent to our collection and use of personal information, without consenting to disclosure to third parties.
Not to be subject to automated decision-making including profiling
We do not use any automated decision-making
You have the right to lodge a complaint with the Information Commissioner’s Office at https://ico.org.uk/concerns
Further information
The controller for your personal data and our Data Protection Officer is the Information Security Manager of Lift Lessons who can be contacted via sb@nephos-solutions.co.uk or 2nd Floor, White Rose House, Otley Road, Headingley, LS6 2AD.
Our Data Protection Officer is responsible for monitoring compliance with relevant legislation in relation to the protection of personal data. Please contact us at sb@nephos-solutions.co.uk if you have any concerns or questions about the above information or you wish to ask us not to process your personal data for particular purposes or to erase your data. Where you have specific requests relating to how we manage your data, we will endeavour to resolve these, but please note that there may be circumstances where we cannot comply with specific requests.
If you have any concerns about your personal data held by Lift Lessons you will need to contact by emailing sb@nephos-solutions.co.uk.