PRIVACY POLICY

At Stevenage Leisure Limited (“SLL”) we are committed to protecting your privacy. Your trust is important to us. This Privacy Policy, together with our Terms of Use, tells you which personal information we collect and what it will be used for. SLL is committed to complying with the Data Protection Act 2018 and the General Data Protection Regulation 2018. We update this policy from time to time so please return and review this document regularly.
This policy is intended for customers and/or users of Stevenage Leisure. If you are a prospective, current or former employee of SLL please refer to our HR Privacy Policy.

 

Who is SLL? 

Stevenage Leisure Limited is a UK registered charity no. 1144638 and a community-based and focused Non-Profit Distributing Organisation (NPDO). We manage various centres across Hertfordshire, Bedfordshire, Cambridgeshire and Rutland. Our head office is located at Stevenage Arts & Leisure Centre, Lytton Way, Stevenage, Hertfordshire, SG1 1LZ. The company is registered in England under company number 3446357.

 

Topics:

  • Who do we collect personal information from?
  • When we collect your personal information and what our legal basis is for doing so
  • Which information do we collect and process about you?
  • How will we use your information?
  • How long do we keep your information?
  • Who will my personal information be shared with?
  • Personal information relation to children
  • How will my personal information be protected?
  • Your rights to manage your information
  • Cookies
  • Other websites
  • Changes to our privacy policy
  • Security precautions
  • Who can I contact about my rights over my personal information or any other questions I might have?

 

Who do we collect personal information from?

We collect and process information from a range of individuals, including:

  • those who have become a member of one of our centres or theatres,
  • those who have purchased tickets at one of our theatres,
  • those who have expressed a strong interest in joining one of our centres or theatres,
  • those who have used or have expressed a strong interest in using our services and activities,
  • those who are members of or have expressed an interest in joining our swim school
  • and those who have visited our sites or website.

The information collected when you browse our website is called cookies. Please view the ‘cookies’ section within this Privacy Policy for more information on this. 

 

When we collect your personal information and what our legal basis is for doing so:

In order to operate our business we need to collect personal information. We are committed to protecting your personal information and will only collect the information if we need to for a specific purpose and providing we have a legal basis, as explained below:

Legal basis for collecting your personal information

Reason for collecting and using your information

Contract

When you join one of our centres or theatres or book an activity for yourself or a member of your family we collect and store personal information in order to provide you with services.

When you pay for a membership, other service or purchase by credit card we collect your credit card details in order to process that transaction.

Legitimate Interests

When you join one of our leisure centres we collect personal information in order that we can provide a personalised service tailored to your health and fitness goals and provide information that may be of interest to you.

When you join one of our theatres we collect personal information in order that we can provide a personalised service based on the performances you have attended and provide information that may be of interest to you.

We also collect personal information to ensure your health and safety when using our facilities and to get in contact with your emergency contact if needed.

If you have expressed a strong interest in joining one of our centres or using our services and activities, we will collect and use your personal information in order to contact you about it.

When we capture your image on CCTV for prevention and detection of crime, safeguarding staff and visitors and ensuring compliance with health and safety procedures.

We are sometimes required to collect information about your ethnicity and other sensitive data in order to provide aggregated reports to your local authority or commissioning group. This information is used only for statistical purposes and is always kept secure.

Consent

When you opt-in to our Physical Activity Referral Service we collect information about any health or disability conditions you may have.

When we take photos or film of people who are easily identified in order to promote our service we will collect your personal information and share it with our designers and selected promoters.

We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions.

In order to provide our services to you we process ‘special category information’.  This is more sensitive personal information such as health and ethnicity. 

We collect health information to ensure we are offering you the right services and so that your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer other services. We rely on your explicit consent to do this. We take extra care to ensure any special category information you share with us is kept secure and is only used for the purpose for which it was given.

Legal Obligation

We have to pass on your information if we think you or your family, or someone working with you could come to harm.  We will do this in line with our Safeguarding for Childcare Professionals policy.

If you make a data subject request under the DPA 2018 or GDPR 2018 we will collect your personal information in order to comply with the law.

 

 

Special category information 

Where the information we process is special category information, for example your health information, the additional basis for processing that we rely on under the GDPR is: 

  • Article 9(2) (a) Explicit consent

Where the special category information is ethnicity, the additional basis for processing that we rely on under the GDPR is: 

  • Article 9(2) (j) Archiving, research and statistics (with a basis in law)

In addition we rely on processing conditions at Schedule 1 part 1 paragraph 8 of the DPA 2018. This relates to the processing of special category information that is necessary for the purposes of equal opportunities monitoring. 

 

Which information do we collect and process about you?

Contact with SLL

Personal Information we may collect and process

When joining one of our centres or booking an activity:

Name, date of birth, contact details, bank details, ethnicity, health* and fitness goals, interests, any relevant medical information, emergency contact, proof of ID

If you attend the activity: contact details, time, date and venue of session/activity for NHS Test and Trace.

If you book any of our child activities or services including our play scheme, crèche, parties or swim school:

Child’s name, date of birth, address and medical information as well as the parent/carer’s name, date of birth, contact details and bank details, emergency contact

If the child attends the activity: parent or carers’ contact details, time, date and venue of session/activity for NHS Test and Trace.

If you have a Direct Debit mandate in place:

Bank account number and sort code information.

When the Direct Debit mandate finishes we will remove this data from our operational systems within 30 working days.

If you pay by credit card:

Bank card information at the time we take payment.

This data is processed on Payment Card Industry Data Security Standard compliant banking systems.

If you visit our website, buy a membership online or book a course or session online:

Email address, online account password, IP address.

If you attend the course or session: contact details, time, date and venue of session/activity for NHS Test and Trace.

Please see below for information about cookies and information about other websites.

When you use any of our facilities:

Usage information, health and fitness related data

If you attend the course or session: contact details, time, date and venue of session/activity for NHS Test and Trace.

If you have a corporate membership paid by your employer we may share your usage information with them. We will never share health and fitness related data with them without your consent unless required to do so by law.

If you opt-in to our Physical Activity Referral Service or other health programme

We will use information about any health or disability conditions* you may have in order that we can devise an appropriate activity programme for you.

If you opt in to receiving marketing material or newsletters from us

Contact details.

You can opt out of this at any time.

If you contact us

A record of your contact information and enquiry (so we can reply if necessary)

If you express a strong interest in joining one of our centres or using our services and activities

Name, contact details. (If your interest has been in a child’s activity we will also collect child’s name and date of birth)

When you visit any of our facilities

CCTV images (for the prevention, identification and reduction of crime). For more details of how we record, use and store images on CCTV please ask to see our CCTV Code of Practice.

Name, telephone number and email address, date and time in and out to be shared with NHS Test and Trace.

When you provide customer feedback:

Name, contact details, opinions

If you exercise your data subject rights under the DPA 2018 or GDPR 2018

Name, contact details

*We ask for any relevant personal health data when you register and signing up for our services. We collect this information to ensure we are offering you the right services and so that your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer other services.

 

How will we use the information about you?

When information is collected by SLL

How information is used

When you join one of our centres or book an activity:

Your information is used to ensure you get the most benefit from our services.

It is used to set up, verify and manage your membership/activity, create tailor-made programmes, allow you to track your workout progress and to verify which activities you have undertaken.

It is used to get information from credit reference agencies and fraud prevention agencies where necessary.

It contributes to equal opportunities monitoring (your information will be anonymised so no one can identify you).

We are mandated by law to share it with NHS Test and Trace in order to minimise transmission of the COVID-19 virus.

If you pay by Direct Debit mandate or pay by credit card

To take payments for your membership or for goods/activities/services purchased.

If you opt-in to our Physical Activity Referral Service

We will use information about any health or disability conditions you may have in order that we can devise an appropriate activity programme for you.

When you and your family use our services:

Your information about which facilities you have used is used to:

  • keep you updated by text, email and/or phone on relevant matters such as class cancellations, membership terms or bookings changes, booking confirmations, and important updates regarding the centre and changes to your membership.
  • send marketing information via email, telephone, text and/or post about our other products and services we think may be of interest to you. You will have the option to opt-in to these when you initially provide information to us or when we collect information from you, and can opt out/update your preferences at any time by contacting any of our centres of by contacting dpo@sll.co.uk
  • develop and improve our services for your benefit.
  • Inform NHS Test and Trace if requested if you have attend one of our Centres after someone has visited who has subsequently tested positive for COVID-19.

When children are booked onto our services:

Your child or children’s information is used to set up their membership/activities.

Their parent/carer details are used to verify and manage this membership/activity on their behalf.

Emergency contact details and medical information is collected so staff can respond to the best of their ability in case of emergency.

Inform NHS Test and Trace if requested if you or your child has attend one of our Centres after someone has visited who has subsequently tested positive for COVID-19.

If you express a strong interest in joining one of our centres or using our services and activities:

We will contact you to give you more information about the service/activity/membership you have expressed an interest in.

When you provide customer feedback:

To improve our services.  If you have provided your contact details and would have given your consent to be contacted we will be in touch to discuss anything you may have raised.

If we have a legal obligation to share your personal information:

 

We have to pass on your personal information to the relevant authorities if we think there is a serious risk to you or your family, or someone working with you.

We have to pass on your personal information to statutory authorities if requested, such as HMRC and NHS Test and Trace.

How long do we keep your information? 

Your personal information will only be kept for as long as it is needed.  Once your personal information is no longer needed it will be securely disposed of.  Information collected for the NHS contact and trace will be kept for a maximum of 21 days.

 

Who has access to your information?

SLL will never sell your personal information. However we may share your personal information with third parties in the following situations:

When SLL shares your information

 

Processing your membership application

We may send your personal information to credit reference agencies and fraud prevention agencies where necessary.

Taking payments for sessions/performances

In order to process your payment for any bookings we may share your details with a booking system and an organisation that manages Direct Debit collections.

Corporate memberships

If your employer pays for your membership we may share your usage data with them.

Ensuring your safety, and the safety of others, and complying with the law

We may share your information if we have a legal duty to do so.

Marketing our services

We may share your mobile phone number or email address with marketing companies if you have given us permission to do so.

You can opt-out at any time by ‘unsubscribing’ which is included in all our texts and emails to you.

Providing reports for various funding bodies

As a condition of the funding we receive we may have to provide some personal information as evidence of how effective we are in providing services.

We may also supply them with personal information in order that they can provide services needed.

This information will be anonymised so you won’t be able to be identified from the information given.

If you do not want your personal information to be included in this reporting please contact dpo@sll.co.uk

Providing contact information to NHS test and tract

If a contact tracing exercise is in progress we will share your details with the NHS contact tracing service if relevant, who will contact you separately for further information.

If you are under 18 years old, we will contact you by phone wherever possible and ask consent from your parent or guardian to continue the call.

A list of the types of organisations (data processors) and the personal information we share with them can be found in Annex A.

A list of the various organisations SLL operates as a data processor, data controller or joint data controller with can be found in Annex B.

 

Personal information relating to children 

Our services are used by people of all ages. SLL accepts website bookings and enquiries and collects personal information from individuals. Children aged under 16 years must have a parent or guardian’s consent before providing personal information to us. We will not collect any personal information without this consent.

 

How will my personal information be protected? 

SLL takes information security very seriously. Only authorised staff will be able to access your personal information. SLL has appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.

SLL reserves the right to transfer your information to countries outside the European Economic Area. If we do so we will ensure it has the same level of protection that it would have in the EU.

There are also procedures in place to deal with any suspected information security breaches. SLL will notify you and any applicable regulator of a suspected information security breach where we are legally required to do so.

Your rights under Data Protection regulations

What this means for you

Accuracy of information

We will strive to ensure that the information we hold about you is accurate and relevant. If you believe the information we hold about you is out of date or incorrect, please contact us (see below).

Seeing your information – subject access request

 

The Data Protection Act 2018 and the General Data Protection Regulation 2018 give you the right to know what personal information we hold about you in certain circumstances (you can only have access to your own information and any child that you have parental responsibility for aged under 13 years old). This is called a Subject Access Request.

Removing your information

If you no longer use our services and products and wish us to delete your personal information we will do this if there are no legal or statutory regulations requiring us to keep this it.

Restricting processing

If you want us to stop using your personal information but don’t want us to delete it we will restrict its use unless we have a legal duty to continue to use it, are using it to defend any legal claims or it is needed for safeguarding someone.

Objecting to your data being used

You have the right to stop to your personal information being used for direct marketing. You can also object to your personal information being used for statistical purposes, our legitimate interests and for a task being carried out in the public interest. We will consider your request, balancing your data rights with the legitimate interests or public interest of continuing the processing.

Transferring your data

In some circumstances, you can ask us to transfer your information to another organisation.

Automated decision making

Automated decision making and profiling is a decision made automatically without any human involvement. SLL will only engage with Automated Decision Making and Profiling where it is necessary to enter into, or perform, a contract with an individual, or where it is authorised by law.

The only automated decision making SLL makes is based on member status. There are three levels of activity within member status; active, high risk and inactive. Based on how recently a member has used the centre, their member status will be automatically adjusted.

Your rights to manage your personal information 

If you want to contact us about any of these rights please tell a member of staff or contact our Data Protection Officer (details below). 

 

Freedom of Information Requests

You have a right to know about the activities of local authorities, unless there is a good reason for you not to. Some of the services SLL provides are funded by local authorities and some of the information we hold is covered by the Freedom of Information Act.


Anyone can make a freedom of information request – you do not have to be UK citizens, or resident in the UK. Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.


If you want to make a Freedom of Information request you need to contact the relevant local authority directly to make the request. Please contact our Data Protection Officer (Baronie Shepherd, dpo@sll.co.uk 07785 462 593) for more information if needed.

 

 

Cookies

The SLL website uses cookies to gather certain information about you. Cookies are pieces of information placed on your computer to allow websites to recognise you when you visit. It collects information about your browsing actions and visitor behaviour information but does not identify you as an individual.
 


We use the information gathered from cookies to get an idea of what elements of the website are best performing and what could be improved.
For further information about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.
 


You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However in a few cases, some of our website features may not function as a result.

 

Other websites

Our website contains links to other websites. This privacy policy only applies to the SLL website, please read each company’s policy when using their website. We cannot be held responsible for the privacy policies and practices of third party websites.

 

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this page. This privacy policy was last updated on 30 September 2020, in line with guidance from the Information Commissioner’s Office, the General Data Protection Regulation 2018 and the Data Protection Act 2018.

 

Changes of business ownership and control 

SLL may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of SLL. Information provided by you will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use your information for the purposes for which it was originally supplied to us. We may also disclose information to a prospective purchaser of our business or any part of it.


In the above instances, we will take steps with the aim of ensuring your privacy is protected.

 

Security precautions

We are committed to ensuring the protection of your personal information. Any payment transactions made will be encrypted and protected using SSL technology.
The transmission of non-sensitive details (such as your email address) made via the internet is not guaranteed 100% secure, except where you see the green padlock in the address bar. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to our site (unless you see the aforementioned padlock icon); any transmission will be at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential.

 

Who can I contact about my rights over my personal information or any other questions I might have?

If you have any questions, concerns or complaints, or if you would like more information about anything mentioned in this privacy policy, please contact our Data Protection Officer:

Baronie Shepherd

Stevenage Leisure Ltd
Stevenage Arts & Leisure Centre
Lytton Way
Stevenage
SG1 1LZ
dpo@sll.co.uk

We take any complaints about our collection and use of personal information very seriously.

 

If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our information processing, please raise this with us in the first instance.

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights. You have the right to contact them should you wish:

  • Report a concern online at https://ico.org.uk/make-a-complaint/
  • Call 0303 123 1113
  • Or write to: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

Annex A – Data Processors 

Data processors are third parties who provide certain parts of our services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so.
Our current types of data processors are listed below.

Type of Organisation

Services Delivered

Personal Information Shared

Customer management software providers

Core systems for member information.

Contact details including emergency contact information, customer usage information, medical information

Marketing 

Design consultants, communications software, marketing automation services

Photographs and videos, contact details, IP addresses

Fitness equipment software providers

Enable customers to use machines and track their fitness progress.

Contact details, usage information

Health & safety analysis and management provider

Accident analysis and management system

Details of individuals involved in health and safety incidents.

Direct Debit management provider

Handles Direct Debit collection

Contact details, bank details

 

Annex B – List of organisations that SLL works with as a Data Processor, Data Controller or Joint Data Controller

Data controllers are organisations that commission SLL to deliver services.  They may also run services themselves. 

Our current data controllers / joint data controllers are listed below. 

When SLL processes your details for NHS Test and Trace it acts as a data processor for these organisations.

Central Bedfordshire Council
Priory House
Monks Walk
Chicksands
Shefford SG17 5TQ

Hertfordshire County Council
County Hall
Pegs Lane
Hertford
SG13 8DQ

Knights Templar School
Park St
Baldock
SG7 6DZ


North Herts District Council
Council Offices
Gernon Road 
Letchworth Garden City 
SG6 3JF

Rutland County Council
Catmose House
Catmose Street
Oakham
LE15 6HP

Silsoe Community Trust
72 Newbury Lane 
Silsoe 
Bedfordshire
MK45 4EX

Stevenage Borough Council
Daneshill House 
Danestrete
Stevenage
SG1 1HN

 

 

​​