top of page

Actualise Parkour Data Protection Policy

Introduction

At Actualise Parkour, we take the protection of personal data seriously and are committed to complying with the UK General Data Protection Regulation (GDPR). This policy outlines how we manage, store, and protect personal data, ensuring that it is handled lawfully and responsibly.

 

1. Data Controller

Actualise Parkour is the sole Data Controller for all personal data collected from clients, staff, and other individuals. This means we determine the purposes and means of processing personal data.

 

2. Types of Data Collected

We collect and process the following types of personal data:

  • Client information: Name, date of birth, address, phone number, email, parent/guardian details, medical information, doctor’s contact, emergency contact, and swimming consent.

  • Staff and coach information: DBS records and qualifications.

 

3. Data Handling and Storage

All data is handled digitally and stored securely using the following measures:

  • Access Restrictions: Personal data can only be accessed on devices with passcode protection or biometric security (Face ID). Certain data is restricted to authorized personnel only.

  • Two-Step Verification: Access to our online records, including Google Forms and Google Drive, is protected by two-step verification for added security.

 

4. Data Retention

We retain client data for up to six months after the client stops using our services. Staff records are reviewed annually to ensure continued relevance and accuracy. After the retention period, all data is securely deleted or anonymized unless further retention is legally required.

 

5. Data Audits and Review

To ensure continued compliance and security:

  • We conduct data audits every three months, reviewing storage practices, access permissions, and overall data security.

  • Records of these audits are maintained, and any necessary improvements are documented and implemented.

 

6. Data Sharing

We share personal data in limited circumstances:

  • With Coaches: Medical information is shared with other coaches to ensure safety during classes.

  • In Emergencies: Medical information may be shared with healthcare professionals or emergency services if required for the safety of the individual.

All data sharing is conducted in line with GDPR principles, and shared information is limited to what is strictly necessary.

 

7. Breach Reporting Procedure

Step-by-Step Internal Data Breach Procedure

In the event of a data breach, Actualise Parkour follows these steps to manage the situation effectively:

  1. Identify the Breach

    • As soon as a potential breach is detected (whether by staff, a coach, or system alert), it must be reported to the Data Controller immediately.

  2. Assess the Breach

    • The Data Controller will conduct an initial investigation to determine:

      • The nature of the breach (e.g., unauthorized access, loss, or theft).

      • The categories of data affected (e.g., personal details, medical information).

      • The potential impact on the individuals affected.

  3. Contain and Mitigate the Breach

    • Steps are taken to contain the breach and prevent further unauthorized access or exposure of data. This might include:

      • Revoking access to compromised systems.

      • Resetting passwords or enhancing security measures.

      • Isolating affected files or devices.

  4. Notify the ICO (Information Commissioner’s Office)

    • If the breach poses a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours of becoming aware of the breach. The notification will include:

      • The nature of the breach.

      • Categories and approximate number of individuals affected.

      • Contact details for more information.

      • Potential consequences and mitigation efforts.

  5. Notify Affected Individuals

    • If the breach is likely to result in a high risk to the affected individuals, they will be notified without undue delay. This communication will include:

      • A description of the nature of the breach.

      • The potential impact on their data and personal information.

      • Steps that they should take to protect themselves (e.g., monitoring for unusual activity, changing passwords).

      • Measures Actualise Parkour is taking to mitigate the effects.

  6. Document the Breach

    • All breaches, whether reportable to the ICO or not, will be documented in a breach register. This includes:

      • Details of the breach.

      • Actions taken to resolve it.

      • Notifications made.

      • Future preventative measures implemented to avoid recurrence.

  7. Post-Breach Review and Corrective Actions

    • Once the breach is resolved, Actualise Parkour will conduct a post-incident review to:

      • Analyze the root cause of the breach.

      • Implement corrective measures (e.g., improving security protocols, retraining staff).

      • Strengthen data protection systems based on findings.

 

8. Staff Training and Responsibilities

All staff and coaches are required to handle personal data responsibly and comply with the data protection guidelines set forth in this policy. They are also responsible for safeguarding any information they may access.

 

9. Data Protection by Design

We are committed to implementing Data Protection by Design and by Default, ensuring that all new processes, forms, or systems that involve personal data are designed with privacy and security in mind from the outset.

 

10. Rights of Individuals

Under GDPR, individuals have the following rights concerning their personal data:

  • Right to Access: Individuals can request to see the personal data we hold about them.

  • Right to Rectification: Individuals can request that we correct any inaccurate data.

  • Right to Erasure: Individuals can request the deletion of their data once it is no longer necessary for the purposes it was collected.

  • Right to Restrict Processing: Individuals can request limitations on how their data is processed.

  • Right to Data Portability: Individuals can request that their data be transferred to another service provider in a structured, commonly used format.

  • Right to Object: Individuals can object to the processing of their data for specific reasons.

All requests will be handled promptly, and individuals will be notified of any action taken within one month of the request.

 

11. Cookies and Analytics

As part of our website management, we use cookies to track performance and improve user experience. A cookie consent banner is displayed on our website, giving users the option to accept or reject non-essential cookies.

 

12. Contact Information

For any questions or concerns related to this Data Protection Policy, or to exercise any data rights under GDPR, please contact:

 

13. Policy Updates

This policy will be reviewed and updated regularly to ensure compliance with data protection laws. Any significant changes will be communicated to clients and staff, and the updated policy will be made available on our website.

bottom of page