4.8 Data Protection

4.8 – Data Protection
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:
• race
• ethnic background
• political opinions
• religious beliefs
• trade union membership
• genetics
• biometrics (where used for identification)
• health
• sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

As a franchisee this will mean that you will need to follow the below basic principles when operating your franchise:
• Printed registers at sessions should not contain personal information other than a parent and child’s name and medical information. Phone numbers should be stored electronically.
• Emails should only be sent to those that have given permission for you to contact them.
• All data should be only accessible to you and should be password protected.