Privacy Policy Last updated 26 April 2018 Download a PDF copy of our Privacy Policy. About us Registration with the Information Commissioner’s Office Data Protection Officer Personal Data Processed by RLSS UK Data Sharing Sub-contract Processing Data Augmentation Profiling International Transfers Secure storage of data Your rights Your right to lodge a complaint with a supervisory authority Cookie Policy About us The Royal Life Saving Society UK (“RLSS UK”) is the drowning prevention charity (charity number 1046060) and is the UK’s leading provider of water safety education and qualifications. RLSS UK is also the National Governing Body, recognised by Sport England, for the sport of life saving. RLSS UK’s website is https://www.rlss.org.uk/ RLSS UK is structured as two limited companies and 47 membership branches located across the UK. The two limited companies are: RLSS U.K. Enterprises Limited (trading as RLSS Direct), with registered office at Redhill House, London Road, WORCESTER, WR5 2JG, United Kingdom (company number 02559199). RLSS Direct stocks, sells and fulfils a range of products to help support the delivery of vocational and non-vocational awards and qualifications mainly via the website https://www.rlssdirect.co.uk/ IQL UK Limited with registered office at Redhill House, London Road, WORCESTER, WR5 2JG, United Kingdom (company number 03719774). IQL UK is the life saving qualification awarding body offering OFQUAL regulated and non-regulated vocational training programmes and qualifications. Through IQL UK, there are more than 90,000 RLSS UK pool lifeguards trained in the National Pool Lifeguard Qualification (NPLQ) and around 95 per cent of all pool lifeguards are trained by RLSS UK. RLSS UK is the controller of all personal data processed by the charity, the two above operating companies and the 47 membership branches. Registration with the Information Commissioner’s Office For the purpose of the Data Protection Act (1998) Royal Life Saving Society UK is registered as a data controller with the Information Commissioners Office with registration number 2811194. Data Protection Officer Data Protection Officer RLSS UK Redhill House London Road WORCESTER WR5 2JG t:0300 3230 096 e: [email protected] Personal Data Processed by RLSS UK RLSS UK collects, stores and processes personal data for several purposes, mainly: personnel administration, financial accounting, marketing and the administration of the charity. The detail of this is described in the table below. Type of data Purpose Legal Basis Retention period Staff/Employment Recruitment Recruiting staff Consent 3 months from date of application Personnel – Names, addresses, telephone numbers, email addresses, National Insurance Number Administration Performance of a contract Some processing may be legitimate interests* 7 years after employment ceases Personnel – Contracts, hours of work Administration Performance of a contract Some processing may be legitimate interests* 7 years after employment ceases Payroll – Names, employee’s society numbers, payroll number, National Insurance Administration of Payroll Performance of a contract 7 years Volunteer/Club Positions Volunteer Application Forms Administration Performance of a contract Some processing may be legitimate interests* 7 years Club Officer Roles Administration Legitimate Interests* Visible records of those is currently in position – Hidden records for historic purposes. No retention period records stay forever Members/Candidates/Trainers Membership list comprising names, addresses, telephone numbers Membership administration and communication Performance of a contract and some processing may be Legitimate Interest* otherwise not a strong legal basis for retaining post membership cessation. 2 years after membership ceases Course candidates – Community based awards comprising names, addresses, telephone numbers, email addresses and course results Award administration Performance of a contract 2 years after all membership and awards have expired*** Course candidates – Non – Regulated awards comprising names, addresses, telephone numbers, email addresses and course results Award administration Performance of a contract 2 years after all membership and awards have expired*** Course candidates – regulated awards comprising names, addresses, telephone numbers, email addresses and course results Award administration Performance of a contract 7 years from the day of assessment *** Honours Nominations Administration of the honours recognition and rewarding Process Legitimate Interest* No retention period records stay forever Membership benefits To send information which is included within your membership of RLSS UK including details about competitions, conference, honours, events and any updates to awards and qualifications Performance of a contract 2 years after all membership and awards have expired*** Queries or complaints data To maintain a record of your interaction with RLSS UK regarding your query or complaint Legitimate Interest* No retention period complaints paperwork stay forever Children’s Data Children under the age of 16 Administration of award data Consent from a parent or guardian or another adult acting in loco parentis 2 years after all membership and awards have expired** Athletes and Officials/Coaches/Team Managers Event attendees Administration Performance of a contract Legitimate interests* 1 year National Records Database Administration of the National Records Performance of a contract Legitimate interest* No retention period records stay forever Elite athletes Administration of the Elite athletes Performance of a contract Legitimate interests* 1 year Officials/ Coaches/Team Managers Administration Performance of a contract Legitimate interests* 1 year Data for the arranging of transportation to and from events Administration Consent Deleted once event is finished Additional Data Processed Names and contact details of Suppliers Supplier and procurement administration Performance of a contract 7 years Donations Charity Donations from members of the public Performance of a contract Consent of the individuals 7 years * Note the legitimate interest may include: retaining records to properly administer and manage your employment, membership or awards and qualifications data with us. In the case of Club Officer Roles – data may be required in relation to complaints or claims and to ensure the effective management of any disciplinary hearings, appeals and adjudications. In the case of Event attendees/Elite athletes and Officials/Coaches and Team Managers we have a legitimate interest to provide you and other members of our organisation with a safe environment in which to participate in sport. National records database – we have a legitimate interest to maintain the records of those competitors who achieve a National record within Lifesaving events Honours nominations – we have a legitimate interest to maintain the records of those individuals who have achieved an RLSS UK Honour for historical purposes. Queries or complaints data – legitimate interest to provide complaint handling services to you in case there are any issues with your membership/club/event etc ** Note that certain information collected for the purposes of personnel administration are a contractual and statutory requirement which are necessary to enter into a contract of employment. Failure to provide this information may result in our inability to offer employment contracts. *** Note that certain candidates may have achieved an RLSS UK Honour and will remain on the system indefinitely as this is classed as historical data Data Sharing RLSS UK shares personal data with the following organisations: Organisation name/category of organisation Purpose of the sharing Data Storage Location RLSS Commonwealth To aid RLSS UK Commonwealth with data on UK Members RLSS UK Digital Service Providers (APT Solutions and Galtec) We employ specialist companies to host our database and facilitate our IT services meaning that they potentially have access to any personal data collected via the channel they manage for us. These organisations are data processors and governed by legal obligations set out in GDPR All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Official Organisations We share the personal data of some of our members from time to time with official authorities such as governing bodies, insurance companies, police, child welfare All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. Disclosure & Barring Service To disclose a copy of a person’s criminal record All personal data is stored in secure UK data centres operated by organisations with ISO 270001 certification. RLSS UK Branches We share the personal data of some of our members from time to time with members of their local Branch All personal data is stored securely by members of the RLSS UK Branch in which the data is disclosed Sub-contract Processing RLSS UK uses sub-contact organisations to process personal data under a written contract which defines that they must comply with stringent data privacy requirements. RLSS UK only employs organisations that comply with the provisions of the General Data Protection Regulation. These organisations are audited to ensure compliance. RLSS UK’s processors include: Stratum for the secure hosting of databases Mail Chimp to facilitate the sending of its emails M Leach Jewellers for the engraving of medals and trophies Claremont cars for airport transfers Laerdal for the supply of medical therapy and training products Biffa Waste services for the secure removal of waste and confidential waste materials Scottish Widows and NEST for staff pension schemes. Data Augmentation RLSS UK uses augmentation services to satisfy its legal obligation to ensure the accuracy of personal data being processed by using, for example: Royal Mail Postal Address File (PAF) to update redirected addresses and to ensure address accuracy and completeness. Profiling RLSS UK does not use profiling International Transfers RLSS UK transfers personal data outside of the United Kingdom to the following organisations: Organisation Country Purpose Safeguards MailChimp USA To send group emails to members and candidates on our database about things that they have opted in to hearing about Mailchimp is based in the USA which is not recognised by the European Commission as a country having data protection and privacy laws equivalent to those we enjoy as European citizens. MailChimp subscribes to the EU-US Privacy Shield meaning that MailChimp has adopted work practices that are approved by the EU in relation to data protection practices. The MailChimp registration on the Privacy Shield is available to review on the Provacy Shield website www.privacyshield.gov/list Survey Monkey USA To facilitate the sending of member surveys from time to time. SurveyMonkey Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield. SurveyMonkey is committed to subjecting all personal information and data received from European Union (EU) member countries and Switzerland, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/ Secure storage of data All personal data are stored in secure UK data centres operated by organisations with ISO 270001 certification. Your Rights You have the following rights concerning your personal data: Right of access You have the right to obtain confirmation from RLSS UK as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data. Right to rectification You have the right to oblige RLSS UK to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement. Right to erasure (right to be forgotten) You have the right (under certain circumstances, but not all) to oblige RLSS UK to erase personal data concerning you. Right to restriction of processing You have the right (under certain circumstances, but not all) to oblige RLSS UK to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you. Right to data portability You have the right (under certain circumstances, but not all) to oblige RLSS UK to provide you with the personal data about you which you have provided to RLSS UK in a structured, commonly used and machine-readable format. You also have the right to oblige RLSS UK to transmit those data to another controller. Right to withdraw consent If the lawful basis for processing is consent, you have the right to withdraw that consent which you can exercise by [insert consent withdrawal mechanism] Right to object to direct marketing Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing. Rights in relation to automated decision making and profiling RLSS UK does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you. Your right to lodge a complaint with a supervisory authority If you wish to exercise any of your rights concerning your personal data, please contact RLSS UK’s Data Protection Officer at the address shown above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is: Information Commissioner’s OfficeWycliffe HouseWater LaneWilmslowCheshireSK9 5AF (t) 0303 123 1113(e) [email protected] Cookie Policy We use a feature of your internet browser called a ‘cookie’ on the RLSS UK website. We do not use ‘cookies’ to retrieve personal information about you from your computer. We will only gain such information if you have knowingly and willingly provided such information to us. What is a cookie? A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. Cookie Maintenance You can set your browser to accept or reject all specific ‘cookies’. You can also set your browser to alert you each time a ‘cookie’ is presented to your computer. You can delete ‘cookies’ that have been stored on your computer but remember, if you prevent us from placing ‘cookies’ on your computer during your visit, or you subsequently delete a ‘cookie’ that has been placed, it will not be possible for you to use our website effectively. By disabling your ‘cookies’ from the browser settings, you will be restricting the ‘cookies’ that RLSS UK uses to manage its website and this will have an impact on how the website will function. This will apply to all websites once ‘cookies’ are disabled via your browser settings and not only RLSS UK website. If you would like to restrict or block ‘cookies’ that are set by us and other websites, you can do this through your web browser settings. Instructions for how to do this for the four most used web browsers are below. For other web browsers, please use the Help function on your browser for details on how to do this. For information on how to restrict or block ‘cookies’ on your mobile phone, you will need to refer to your handset manual. Guide to Disabling ‘Cookies’ using Web Browsers Safari Go to the Safari menu. Click on the Preferences. Click the ‘Security’ tab. Under ‘Accept Cookies’, set it to accept, reject, or selectively accept cookies. Firefox 3.0+ Click on ‘Tools’ in the menu bar Click on ‘Options…’ Click on ‘Privacy’ Tab in the top section From the drop down box select ‘Use custom setting for history’ Un -tick the box that says ‘Accept Cookies From sites’ Click OK and Close the screen. Internet Explorer 7.0+ Click on ‘Tools’ in the menu bar Click on ‘Options’ Click on ‘Privacy’ Tab on top section Click on the ‘Advanced” button Select ‘Prompt’ for both ‘First party cookies’ and ‘Third Party Cookies’ Click OK and Close the screen. Google Chrome 8.0+ Click to ‘Tools Menu’ Click on ‘Options’ Click on ‘Under the Bonnet’ Click on ‘Cookie Setting’ button and tick ‘Block all third-party cookies without exception’ Close the screen.