This policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the website and website owners. Furthermore, the way this website processes, stores and protects user data and information will also be detailed within this policy. Our Data Protection Officer is John Reed.
Consent – consent is defined as receiving a data subject’s agreement to process their data. Agreement must be freely given, informed, specific and unambiguous. This consent could be given several ways, such as via a written statement (including by electronic means) or an oral statement. Gaining consent must be clear and unambiguous. The data subject must understand implicitly what they are providing their data for, how it will be processed, who will process it and how long it will be stored.
Data Breach – any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access of a subject’s data
Data Controller – ‘controller’ means the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
Data Erasure– (also known as the Right to be Forgotten) this entitles the data subject to request that the data controller erase their personal.
Data Processor – ‘processing’ means any operation, or set of operations, which is performed on personal data or on sets of personal data. It is considered processing whether these operations occur by automated or manual means. Processing includes the following activities: collecting, recording, organising, using, structuring, storing, adapting, retrieving, consulting, destroying and more.
Data Protection Authority – the national authority who protects data privacy.
Data Protection Officer – an appointed individual who works to ensure you implement and comply with the policies and procedures set by GDPR.
Data Subject – someone whose personal data is processed by a controller or processor.
Personal Data – any direct or indirect information relating to an identified person that could be used as a means of identifying them. This includes their name, ID number, location data or an online identifier.
Processing – this refers to any activity relating to personal data, from initial collection through to the final destruction. It includes the organising, altering, consulting, using, disclosing, combining and holding of data, either electronically or manually.
Sensitive Personal Data – other factors specific to physical, physiological, genetic, mental, economic, cultural or social identity. This can include genetic data, biometric data, and criminal convictions and offences that, when processed, can uniquely identify a person.
This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies with all UK national laws and requirements for user privacy.
What are cookies?
Cookies are small files saved to the user’s computer’s hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.
We use anonymous session cookies (short-term cookies that disappear when you close your browser) to help you navigate the website and make the most of the features. If you log into the website, application or a course as a registered user, your session cookie will also contain your user ID so that we can check which services you are allowed to access.
Should users wish to deny the use and saving of cookies from this website onto their computer’s hard drive, they should take necessary steps within their web browser’s security settings to block all cookies from this website and its external serving vendors.
Whilst using our website, software applications or services, you may be required to provide personal information (name, address, email, account details, etc.). We will use this information to administer our website, applications, client databases and marketing material. We will ensure that all personal information supplied is held securely in accordance with the General Data Protection Regulation (EU) 2016/679, as adopted into law of the United Kingdom in the Data Protection Act 2018. Further, by providing telephone, fax and email details, you consent to Role Models contacting you using that method. You have the right at any time to request a copy of the personal information we hold on you. Should you wish to receive a copy of this, or would like to be removed from our database, please contact us at firstname.lastname@example.org.
Information Collection and Use
How do we collect information?
Role Models collects information in two possible ways:
When you directly give it to us (“Directly Provided Data”). When you sign up for our site, purchase our products or communicate with us, you may choose to voluntarily give us certain information – for example, by filling in text boxes or completing registration forms. All this information requires a direct action by you at that time in order for us to receive it.
When you give us permission to obtain from other accounts (“User Authorised Data”)
Depending on your settings or the privacy policies for other online services, you may give us permission to obtain information from your account with those other services. For example, this can be via social media or by choosing to send us your location data when accessing our website from your smartphone.
How long do we keep your data for?
Role Models will not retain your personal information longer than necessary. We will hold onto the information you provide either while your account is in existence, or as needed to be able to provide the Services to you, or (in the case of any contact you may have with our Customer Care team) for as long as is necessary to provide support-related reporting and trend analysis only.
If legally required or if it is reasonably necessary to meet regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our Terms and Conditions, we may also retain some of your information for a limited period of time as required even after you have closed your account or it is no longer needed to provide the Services to you.
Role Models will not sell or rent your personally identifiable information, gathered as a result of filling out the site registration form, to anyone.
Choosing how we use your data
We understand that you trust us with your personal information and we are committed to ensuring you can manage the privacy and security of your personal information yourself.
With respect to the information relating to you that ends up in our possession, and recognising that it is your choice to provide us with your personally identifiable information, we commit to giving you the ability to do all of the following:
You can verify the details you have submitted to Role Models by contacting our customer services team via email@example.com. Our security procedures mean that we may request proof of identity before we reveal information, including your e-mail address and possibly your address.
You can also contact us by the same method to change, correct, or delete your personal information controlled by Role Models regarding your profile at any time. Please note though that, if you have shared any information with others through social media channels, that information may remain visible, even if your account is deleted.
You are also free to close your account through our account settings. If you do so, your account will be deactivated. However, we may retain archived copies of your information as required by law or for legitimate business purposes (including to help address fraud and spam).
You can always feel free to update us on your details at any point by contacting us via firstname.lastname@example.org.
You can unsubscribe from receiving marketing emails from us by clicking the “unsubscribe” link at the bottom of any email. Once you do this, you will no longer receive any emails from us.
You can request a readable copy of the personal data we hold on you at any time. To do this, please contact us via email@example.com.
Processing of personal data
The table below provides an overview of the information that we collect and our basis for processing it.
Basis for processing
Customer name and email and country of residence
Used to deliver our personalised email newsletter
This consent can be withdrawn by clicking the unsubscribe link in any email or by contacting firstname.lastname@example.org
Customer email and high level information about child needs (e.g. our interactive quizzes)
Used to produce a personalised response to the information provided
This information is used to support our newsletter, and the same consent withdrawal applies.
Customer and child data (including data captured via our Parent portal and pre-course forms.) This may include sensitive personal data.
Delivery of an in-person course.
Delivery of an online session or course. This includes the Masterclass product and any custom courses.
If you do not provide the personal information requested then we may not be able to deliver the course for your child.
Reviewing a session for safeguarding purposes.
Session recording excerpts
Production of marketing materials
If we wish to use a recording of a session in our promotional materials we will contact you and ask for consent directly.
IP addresses, client info (browser, OS, etc) and session recordings.
Review of the usage of our website. The data captured is not linked to an individual, and any personalised data recorded is masked during playback.
Chat information (message and email address)
Respond to the subject of the chat message with information that we believe is useful.
A full record of the information we hold for you and your child is available on request. You can also request that your data be removed by asking for Data Erasure. If you wish to discuss this or how your personal data is used in more detail, please contact us at email@example.com.
We perform a data audit approximately once per year.
As part of this process we seek to review:
What data we hold and why
For each data set, whether we are the controller or processor of that data
How the data is collected, including where and how consent is captured if necessary for the intended processing
How the data is stored in terms of specific systems
What processing is carried out on the data, including the specific systems used. Each process is based on one of the 6 legal bases for processing data as described by GDPR.
The individual or team within the business that owns and controls the personal data.
The length of time the data is to be retained
The mechanism for deletion at the appropriate time
This information allows us to trace information from where it entered our organisation, how it is used, to the point where it exits the organisation.
The purpose of the review is to ensure our records are up-to-date and that we have categorised both historic and new data.
Data breach reporting procedure
What is a personal data breach?
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”– Information Commissioner's Office (ICO)
Examples of personal data breaches could include:
Theft of a company laptop / mobile device which has personal data saved on it.
An attack on the company network which leads to the exposure of personal data.
Unauthorised use of the company network or equipment by a member of Role Models staff.
Accidental loss of files or documents which contain personal data.
Failure of equipment rendering personal data irretrievable.
How to report a personal data breach
All potential or actual personal data security breaches should be reported as soon as they are discovered. If for any reason you are unsure that an issue constitutes a personal data security breach, please report it.
To report a personal data security breach please contact the Chief Technical Officer. Please provide as much detail as you can as this information helps us to assess the severity of the breach and decide on the appropriate course of action to ensure that where possible the data is recovered and the risk of a similar incident minimised. If the issue is urgent, please contact the CTO by phone.
Please do not include personal data, such as the names of the individuals involved, in the first instance. If this information is required it will be requested separately.
What happens next?
The breach will be investigated and a permanent record created. This record includes the date/time of the incident, description of the breach, and an assessment of the impact. Remedial measures will be determined and actioned as soon as possible. If necessary, the ICO will be notified in accordance with their guidance.
A review will take place following all breaches to identify any remedial action which may reduce the risk of similar breaches occurring; this may include revised policies and procedures, staff training, or improved security.
Policy last updated: 24th November 2022.
Next review date: January 2023.
We are committed to reviewing our policy and procedures annually.