What information do we hold, when do we share it and how long do we keep it?
We gather personal information from clients including their name, address, email address, payment details and mobile phone number during the enquiry stage of booking. The client’s name and phone number will be included in our paper Booking Confirmation document is provided to our instructor for the duration of your activity. This will be destroyed following completion of the activity/hire. We have many repeat clients so we will retain your details for next time. If you do not wish us to retain your information please contact us to “be forgotten” and your information will be destroyed immediately .
We will hold your personal information in our secure, password controlled electronic systems, which are backed-up daily on remote servers. System access is restricted to relevant members of staff. It is necessary on occasion, to provide access to our IT support partners for the resolution of technical issues.
Our Acknowledgment of Risk form requires the names and addresses of all participants, including under 18’s. These forms are stored securely and are destroyed after the retention period stipulated by our insurers.
We do not share any client personal information.
For employees we hold name, address, date of birth, phone numbers, bank details, emergency contact’s name and address, and National Insurance numbers.
We will share employee personal information with HMRC and our Pension Scheme. We will hold this information for as long as legally required.
Where do we store your information?
All of our systems used for the processing including storage of client and employee information are online secure systems, which are backed-up regularly by the package providers. All paper-based information is retained within the secure location, with limited access and is destroyed securely when appropriate.
Your Right To Access the Information
You have the right to access the personal information we hold about you. If it is incorrect we will correct it. You can also request for the information to be removed. If you do not wish us to retain your information please contact us to “be forgotten” and your information will be destroyed immediately.
If you would like to download a copy of our privacy statement please click here
Privacy Impact Assessment (PIA)
Schools & Youth Groups
Why do we need a PIA?
By their very nature, many of the activities that we offer are physically challenging outdoor experiences often taking place in remote locations and can present a certain element of risk. It is for this reason that it will be necessary to obtain personal information regarding individual participants to ensure the safety and comfort of all of our clients. This information can be of a sensitive nature such as food allergies and medical details. It is important that our clients have confidence in how we will collect, process and delete this information.
Obtaining, Use and Deletion of Personal Information — Activity Programmes
Personal information regarding individuals will be sought from the activity organiser (e.g. teacher) to ensure the safety and comfort of all participants. Name, age, medical details, special needs, food allergies will be requested as appropriate to the activity. This information will be used solely for the planning and execution of the group’s programme of activities to ensure the safety, comfort and enjoyment of our activities by all participants.
The information will be provided, usually electronically, at the later planning stages of the programme. The details will be provided to the activity instructor in paper form before the activity programme commences. Upon completion of the group booking, the electronic and paper based information will be permanently deleted. This will impact approx. 1,000 clients per annum.
Acknowledgement of Risk (AOR) Forms
Participants are required to complete a paper AOR prior to commencement of certain activities, this includes the participant’s name, address and age (if under 18 years old). These forms are stored securely for the duration required in order to comply with our insurers policy. These forms will be destroyed following the end of the relevant insurance retention period.
We consulted with Ledingham Chalmers as CBP advisers in preparation for GDPR.
The Director (Commercial) will undertake the internal consultation requirements on systems or procedure related issues.
The Director (Operations) will be the internal consultation for all instructor staff in the first instance.
We will consult externally with our legal advisers should the situation occur.
Privacy and related risks
The GDPR responsibilities of the organising body e.g. school or youth group should ensure that they only share with us the necessary information on individual participants. A very limited amount of personal information is necessary to ensure that participants’ safety and comfort is maintained during the activity programme.
Any non-compliance by our staff will cause us reputational damage and result in a loss of trust in us by our clients. We are very proud of our reputation and strive to maintain the high level of trust and respect our team has built with clients over the years.
The following Risk Issues have been identified with the risk to the individual and our safeguards to minimise any form of potential harm to any activity participants. All risk issues are considered to be of an extremely low level to cause any type of harm to participants.
- Inappropriate activity participation due to receiving inaccurate, incomplete or out of date information.
- Our instructors are highly qualified and trained in providing outdoor activities to a wide range of ages and abilities.
- Our instructors will adapt and change their activity plan should an individual be unable to participate fully and safely within our Risk Assessment and Safety Procedures. This may involve ending the activity session.
- Inappropriate or excessive information provided; information disclosed which an individual did not wish it disclosed or information used in an unacceptable manner or in an unexpected way—individuals may feel embarrassed by the disclosures and result in a lack of self-confidence especially within their peer group
- The Director (Operations) will review all participant information provided by a school/youth group. Any inappropriate/unnecessary information will be destroyed before sharing with our instructors
- An individual’s information will never be shared by instructors, all information is destroyed following the completion of the activity programme
- Our instructor monitoring processes and PVG disclosure checks ensure that our instructors are of the highest calibre and extremely trustworthy
- Information is not stored securely, which could lead to inappropriate disclosure of sensitive information
- We do not store any personal information on individual school or youth group participants in our systems
- All information received is destroyed following the completion of the activity programme
If you’d like to download a copy of our policy please click here.