Privacy Policy
Centre User Privacy Notice
The Peter Ashley Activities Centres Trust (“the Trust”) complies fully with the General Data Protection Regulations (GDPR) 2018.
We collect information from you about you and any children you hold parental or delegated responsibility for, which is known as ‘personal data’.
This personal data is used to help us make decisions about whether you and/or the person(s) you are responsible for can participate in activities or need extra supervision or support while at Fort Purbrook or Fort Widley, to ensure we meet our legal obligations and to deliver on our Vision and Mission of providing meaningful and challenging opportunities in a unique environment; and to contribute to the development of young people to be the best they can be whilst using the Victorian Forts for the benefit of all.
We will collect name, address, contact details and any health or medical details relevant to your visit to us. We occasionally take photographs and video footage to use on our social media sites and we ask you for your email address if you would like us to inform you of activities and events at the Trust. Where it is required, we will ask for your written consent to collect and use data.
We keep your data safe
We protect all data we collect from you and we take your privacy seriously.
Some data will need more protection such as health and medical details and this is known under the GDPR as ‘special categories’ of data. In order to process this data, we will ask for your specific, written consent. All personal data, whether sensitive or not, is kept on our secure computer systems and/or in locked file cabinets when not in use.
To make sure we keep everyone safe on site we monitor all activities using CCTV cameras. This helps us to see when someone is not following the rules and to act to keep everyone safe. We do this to protect the legitimate interests of the Trust and those using the Centres.
We make sure your data is accurate
We make every effort to ensure the data we hold about you or any person you have parental or delegated parental responsibility for is accurate. If you believe we are holding inaccurate data about you or a person you are responsible for, please see your rights on the second page of this notice.
We keep data for only as long as is necessary
We keep records of health and safety incidents for 3 years, unless they are for a child and then it is until their 18th birthday. This is our legal obligation.
We keep records of all bookings for 2 months after the booking unless required to keep it longer for our legal and/or financial obligations. In each case we keep only the data we are required to keep and use anonymised data where appropriate.
Where we have consent to use images and videos we keep them for two years unless legal proceedings require us to keep them for a longer period.
We keep CCTV footage for 30 days unless it is related to any Health and Safety incident or criminal activity in which case we keep it for as long as legally obliged and as directed by the relevant supervisory authority.
Transfer of data to third parties
For some activities, to meet the requirements of our membership with professional associations, we collect your personal data on behalf of third party organisations including and not limited to:
- British Horse Society (Fort Widley only)
- Riding for the Disabled Association (Fort Widley only)
- Association of British Riding Schools (Fort Widley only)
- British Activity Providers Association
- Council for Learning Outside the Classroom
- Adventure Activity Industry Advisory Committee
Although we do not transfer client data off-site, the data is available for audit by these associations. You will be notified at the point of collection and asked for your written consent.
We transfer data to third parties such as HMRC and the Home Office to meet our legal obligations.
Personal data may also be held on Cloud based IT devices, which means that personal data may be transferred outside of the EU. Where this is the case, the Cloud based IT device has confirmed that it has appropriate safeguards in place. For example, we use Microsoft 365 which transfers data to the US. Microsoft 365 are certified under the EU-US Privacy Shield Framework. This means that the country to which your personal data is transferred (the US) is deemed to provide an adequate level of protection for your personal information.
Your rights
You have new rights under the GDPR as follows:
- The right to be informed and we inform you via this privacy notice.
- You have the right to withdraw your consent for any personal data we process based on your express written consent.
- You have the right to access the personal data we hold about you. You may do so by writing to the CEO as detailed below.
- In limited cases you have the right to object to our processing your data or restrict processing, but this will not apply to data we hold on the basis of legal obligation.
- The right to erasure. This is the right to be ‘forgotten’ and it applies to any data we do not hold for legal obligations. We may keep limited data in our legitimate interests to ensure a person who wishes to be forgotten is not contacted by including basic name and email data on a ‘no-contact’ list.
- You have the right to correct your data if you believe it is inaccurate.
- The right to complain to a supervisory authority.
To exercise any of your rights about or if you are unhappy with how we have processed your data, please contact Darren Bridgman, CEO address below. In all cases we will respond without undue delay and within 30 days.
If you are still unhappy, you have the right to complain to the Information Commissioner’s office at www.ico.org.uk.