Effective from 25th May 2018
Oxford Active is committed to the safety and protection of all children in its care, staff and parents, and as such this commitment also applies to the protection of personal data, set out by the GDPR.
Oxford Active acts as a Data Controller according to the legislation set out by GDPR.
‘Oxford Active’ encompasses multiple brands and services, which include but are not limited to Active Camps, Active Clubs, Active Plus, Active Adventure, and Oxford Spires International. This policy applies to all of the services, activities, and programmes delivered under the brands listed above, as well as by Oxford Active as a collective.
In order to process bookings and enquiries we need to collect personal details about you and the children or students on your booking. We will respect and protect your privacy at all times. This policy sets out how we will collect, use and store any personal data about you and your child(ren) or students.
By creating an online account on our booking platform, you are agreeing to us storing and processing this information as set out below. You are responsible for ensuring you have the agreement from all persons on your account and booking to pass on their details to us.
What is our legal basis for processing data?
Our lawful bases for processing data are as follows:
- Consent – consent has been obtained to use personal data
- Contract – the processing of data is necessary to fulfil our service agreement with customers
- Legitimate Interest – we use your data to pursue our legitimate interests in such ways which would be reasonably expected to operate our business, and which does not impact on the freedom or rights of customers
When do we collect data?
When you register your details with us or make a booking we will need to collect certain personal details to process your booking and make the necessary arrangements for your child(ren) or students to attend our programmes.
Prior to attending our programmes, we will also need to collect more sensitive personal data, specifically relating to the children on your bookings, such as medical conditions, allergies and educational needs to ensure we can provide the appropriate care for your children or students.
While your children are in our care you may need to complete forms which will require personal information relating to you or your child, or if you contact us with a query/complaint.
We may also collect data from you in other ways that will request your name, address, email address and telephone number. For example, when you enter a competition, complete a survey, follow us through social media or when you actively sign up to email or phone text messages from us for marketing purposes.
What data do we collect?
1. Account Holder details - Name, address, DOB, telephone numbers, email address, encrypted log in password, security word, details of your interactions with us e.g. a query on your account/complaint, details of your visits to our website (see Cookies), personal details to help tailor our services to you, payment card details, comments and service reviews, work address and telephone number and social media username if you make contact with us in this way
2. Children’s details – Name, address, DOB, medical, behavioural or educational needs, swimming ability, school, registered GP, language
The law requires us to take reasonable steps to ensure data is kept accurate and up to date. We remind customers to update details when logging into their account, and Oxford Active employees will also confirm customers’ details during telephone conversations.
How do we use your data?
If you have registered an account with us we may use your data to contact you via post, email, phone or text message with information about offers, news, services and products or to administer prize draws/competitions you may have entered or to send surveys or feedback requests.
We will only do this if you have opted in to receive such information from us and you have the right to opt out of your data being used for marketing purposes at any time.
Please let us know if your details or preferences change so we can keep our records up to date.
If you have a booking with us, in addition to the above, we will use your data in relation to delivering our childcare services, to contact you with information relating to your booking and your child(ren)’s time at camp, to protect the welfare of your child, to comply with our legal obligations and to process payments.
If you sign up to our newsletters or have given us consent to send you marketing information (done during the booking process) then we will collect your contact details including name and email address.
With your consent, we will use your personal data and camp location preferences to keep you informed by email, web, text, telephone and through our customer support team about our programmes including dates, special offers, promotions, events, competitions and so on.
Opting In/Out - Your privacy is important to us which is why we like to make sure you’re in control. You can opt in or out at any time by ticking/unticking certain boxes that relate to your personal information and its use. You can do this yourself by logging into your account or contacting us at: firstname.lastname@example.org or on 01865 800290.
You can also click ‘unsubscribe’ at the bottom of any emails from us and can ask us to stop any SMS messages by contacting us via phone or email. We will then update your account accordingly.
Third Parties - We will not pass on your personal information to other users of the sites and we will only ever pass on your personal details to a third party if it is necessary to fulfil a particular service on your behalf or as part of our normal business activities.
Any details passed on will be transferred in a secure manner. At times, third parties ‘manage’ our data, for such services as deduping, mailing, e-marketing campaigns, data analysis and profiling. Information is given securely and only to approved suppliers.
Should any safeguarding concerns or legal proceedings require us to pass on your personal information we trust you will understand that we have a duty to comply with the law. Please be aware that the way in which your personal details would be legally protected within the UK may differ from other countries.
Our website contains links to and from other websites including schools and advertisers. If you follow a link from any of our websites to another site, please be aware that the third party site will have its own privacy and data protection policies and we are not responsible for how they may collect their data.
How do we protect data?
Storage - Once data is received, we will take all reasonable steps to ensure your data is secure to prevent unauthorised access to it. All information you provide is stored on secure databases, our IT systems are password protected, hard copy information at camp or on any other site is held in lockable containers and all payment transactions are encrypted.
Transfer – Oxford Active uses Office 365 – Azure Information Protection when sending confidential and sensitive information by email to customers or external suppliers/authorities. This is a cloud-based computer file service which encrypts the files and therefore cannot be intercepted.
Security and passwords - When you create an account with us you will be required to provide an email and password so that you can access your details online. We advise your password should consist of at least six characters that are a combination of letters, numbers and symbols (e.g.@, #, $, %). It should also contain letters in both uppercase and lowercase. We never have access to your password.
Please do not share your password or security word with anyone. Unfortunately, the passing of data via the internet is not completely secure therefore any transmission is at your own risk.
Please keep these details safe and not written down anywhere. If you change your personal details or if you suspect that someone else has used your password or security word, then please notify us as soon as possible.
How long do we keep data for?
There are legal requirements for how long we have to keep data for before destroying it. Due to the nature of our services involving children we are required to keep information relating to each child and their booking until they reach the age of 21 years. All data is archived by year of attendance and destroyed 17 years later in order to ensure data for the youngest child on camp in that particular year is kept until they are 21 years. When the time arises, we securely delete and destroy all of the information we hold. Hard copies of personal data are shredded, and electronic copies are securely deleted.
Whilst we hold data for longer, we will only actively use this to contact you regarding our products and services within a maximum of 3 years of your last booking/enquiry with us.
You have the following rights in relation to your data:
Right to access, rectification, erasure, data portability, object and automated decision making (including data profiling).
If you would like to exercise any of these rights please write to Oxford Active, Upper Campsfied Barns, Woodstock, OX20 1PW or by email to: email@example.com or you can call us on 01865 800290.
Please note that in some circumstances we will still need to retain certain data in order to comply with our legal obligations.
If a subject access request is put forward, we will send the information within one month (30 days) and free of charge – this will be sent in a protected file.
Please note that we will ask some security questions to prove your identity before disclosing any data.
If you are not happy with the way we have handled your data or responded to your requests you can lodge a complaint with the Information Commissioner’s Office at www.ico.org.uk/concerns or by phone on 0303 123 1113.
Changes to our policy
We reserve the right to update this policy from time to time and we will keep you informed by updating this statement on our website.
To contact us, please email firstname.lastname@example.org.