Snowball Farm Privacy Notice

PRIVACY NOTICE

Snowball Farm Equestrian Centre’s commitment to your privacy

 

What information do we collect about you?

Snowball Farm holds personal information about clients, volunteers and other people involved in our activities.  We collect this information when you complete relevant forms for us including our Rider Registration form.  We treat your information with utmost care and take appropriate steps to protect it.

 

How will we use the information about you?

We will use this information about you to administer and schedule the services we provide to you.  We will not pass on any information about you to any third party.  We will not disclose any information about you to any company or public body unless we are required to by law.

 

Direct Marketing

We would like to keep you up to date with news and information about Snowball Farm.  You will only receive marketing information from us if you have consented to do so and you may stop us from contacting you for marketing purposes at any time.

 

Access to your information and correction

You have the right to request a copy of the information that we hold about you.  We want to make sure that your personal information is accurate and up to date.  You may ask us to correct or remove information you think is inaccurate.

 

Retention of data

Once you have ceased to be involved with Snowball Farm we will not retain any data about you for any longer than necessary and have systems in place to ensure this.

 

 

Further information

If you have any questions about our privacy policy or information that we hold about you, please contact us at: office@snowballfarm.co.uk or call our office on 01628 666222.

Our full policy statement follows.

 

 

DATA PROTECTION POLICY

 

Purpose and Background

Snowball Farm holds information about clients, volunteers and other people involved in our activities.  Snowball Farm has a responsibility to look after this information properly, and to comply with the Data Protection legislation, incorporating the EU General Data Protection Regulations (GDPR).  It is likely that the GDPR will continue to form the basis of the UK’s Data Protection legislation, even once the UK has left the EU, and this is taken into account in this policy.

Good Data Protection practice is not just a matter of legal compliance.  Data Protection is about taking care of people and respecting their privacy.

Poor practice or a serious breach in Data Protection could not only harm individuals but also have a serious effect on the reputation of Snowball Farm as a whole.

Scope

This policy applies to information relating to identifiable individuals which is collected, held and processed by Snowball Farm.

Our Legal Basis for using Your Data

Everything we do with records about you – obtaining the information, storing it, using it, sharing it, even deleting it – must have an acceptable legal basis.  There are six principles guiding this:

  1. Consent from you (or someone authorized to consent on their behalf).
  2. Where it is necessary in connection with a contract between Snowball Farm and the individual.
  3. Where it is necessary because of a legal obligation – if the law says you must, you must.
  4. Where it is necessary in an emergency, to protect your vital interests.
  5. Where it involves the exercise of a public function – ie most activities of most government, local government and other public bodies.
  6. Where it is necessary in our legitimate interests, as long as these are not outweighed by the interests of the individual.

Where we are basing our processing on consent we must demonstrate that we hold consent.  This means having a record of who gave consent, when they gave it, how they gave it (eg on website, on a form, verbally, by email) and what they actually consented to.

In the case of legitimate interests, we will do a balancing test to be confident that our legitimate interests in using the data in a particular way – for example in providing our services – are not over-ridden by the interests of the individual.

There are additional considerations if we are holding information about your health data.  We will legitimize the use of any of these categories of data by having your explicit consent.

Where data is held on minors, the same considerations apply but these must be backed up by the consent of a legitimate parent or guardian.

 

Data Protection Principles

Data Protection compliance is based largely on a set of Principles.

The six GDPR principles are:

  • Whatever we do with people’s information has to be fair and legal. This includes making sure that they know what we are doing with the information about them.
  • When we obtain information, we must be clear why we are obtaining it, and must then use it only for the original purpose(s).
  • We must hold the right information for our purposes: it must be adequate, relevant and limited to what is necessary.
  • Our information must be accurate and, where necessary, up to date.
  • We must not hold information for longer than necessary.
  • We must have appropriate security to prevent information being lost, damaged, or getting into the wrong hands.

Our policy sections below reflect each of these principles in a bit more detail.

 

Transparency & Purposes (1st and 2nd principles)

We will make key information available to you at the time we collect information from you.  This includes:

  • the identity and contact details of our organization and the person who is responsible for Data Protection;
  • the purposes we intend to use the data for and our ‘legal basis’ for this (see above);
  • what we regard as our ‘legitimate interests’, if this is our basis for processing.

Other information will be made available where relevant.  This includes:

  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • details of your rights, such as request a copy of all the data held;
  • the right withdraw consent if that is the legal basis for processing (but not retrospectively);
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

In both cases, we will only tell you things you won’t already know.  For example, when a rider joins our equestrian centre they know that we will keep a record about them and their activities with us; when a volunteer comes along, it is the same.  We will therefore tell you anything that may not be entirely obvious to you.  This could include things like: any direct marketing that we may want to carry out (see below), or any additional purpose(s) that we might use the data for – publicity, perhaps.

‘Data’ or ‘information’ can include paper and electronic documents, photographs, video, CCTV, audio recordings, etc.

 

Direct Marketing

One explicit right that you have is to stop us sending you marketing material (by post, phone, email or text) if you don’t want it.

When we collect information from you that might be used for marketing we will say so at the time and ask you if you are happy to hear from us (using the double opt-in principle).  The wording will be along the line of: “We would like to keep you up to date with information about opportunities and events at Snowball Farm, and how you can support us.”

These rules are only for marketing.  They do not stop us from contacting you in whatever is the most convenient way to give you information about things you have already signed up to, or for other administrative purposes.

Website

We are committed to safeguarding the privacy of visitors to our website.  We collect non-personally identifiable information automatically.  Non-personally identifiable information is information that is not used nor intended to be used to personally identify an individual and is not associated with or linked to Personal Information.

There are two flavours of Cookies –  which are small text files stored on the visitor’s computer when making a visit to our website – session cookies and persistent cookies.  Session cookies are deleted when you shut down your computer.  Persistent cookies will remain on your computer until deleted or time expired.

Most browsers allow all cookies to be rejected, others allow just the rejection of third-party cookies. Blocking all cookies may have a negative impact upon the usability of many websites including Snowball Farm’s website.  You can use the settings function in your device to set permissions or delete cookies.

Snowball Farm uses cookies on the  .snowball.co.uk domain.

To see the cookies associated with Snowball Farm’s website please go to CookieChecker.com

 

Data quality, record keeping and retention (3rd, 4th and 5th principles)

Our activities will be more effective and appropriate if we have good quality records about the people we are working for and with.  GDPR insists on this.  We will ensure we have the information we need, but no more (it must be adequate, relevant and limited to what is necessary) and it will be as accurate as we can make it and – where necessary – kept as up to date as possible.

We will remind our staff and volunteers that the individual has the right to see all the information recorded about them by Snowball Farm.  While Data Protection concerns should never prevent us from recording the information we believe we need (especially in cases relating to safeguarding or other serious misbehavior) it should be appropriate and respectful.  This consideration can be useful in deciding what to record and how to record it.

Snowball Farm will also have a clear policy on how long to keep information.  We will keep a retention schedule for key documents and records, specifying how long we normally keep it, and our justification for this.  A process for ensuring that data is deleted or destroyed routinely at the appropriate time will be operated.

 

Security (6th principle)

We will take good care of the data we hold, whether on computer or on paper, and make sure that we have provided guidance and sufficient training to all our staff so that they treat the information appropriately.

In particular we will think about the risks when data is in transit – either on portable devices or when it is being sent out.  For example:

  • If people are using their personal phone, laptop, camera or other device for Snowball Farm’s purposes there will be clear expectations of how they should be secured.
  • When sending information, particularly by email, we will take steps to prevent confidential information being sent to the wrong person. For example, using password-protected documents and sending the password in a separate email.
  • We will also take care not to disclose your email address or other information inappropriately by carelessly copying in a large number of people or forwarding an email that has been copied widely.
  • Information on paper will be stored securely and will only be taken out of its secure location when this is really necessary. Printed records will not be left in public areas.

Responsibilities

Responsibility for compliance with Data Protection lies with the organization, not with any specific individual.  The Partners as a whole body will be responsible to keep up to date with any developments, to check that we are complying and have the evidence to prove it, to give advice to staff on how to handle any issues such as a data breach or a Subject Access Request.  The Partners may designate someone to be the lead person.

The person currently designated is Miss Nikki Thornton.