What data do we collect?
Under the terms of the GDPR, BISMA is considered the “processor” of data that individuals (“data subjects”) provide us. Through our day-to-day business interactions with customers we may, where applicable, collect and process the following personal and / or sensitive data:
- Your name
- Your data of birth
- Your gender
- Your specific learning requirements
- Your contact details (phone numbers, postal address(es) and email address(es))
- Your personal or credit card / billing information
- A copy of your passport, drivers license or another form of personal identification
- A copy of any prerequisite course certificates
- Information about how you have engaged with us
- Completed course work relating to the course you are doing
How do we collect this data?
- Learner registration forms
- Emails from learners/staff
- Messages from learners via text or whatsapp
Why do we collect this data and how do we use it?
We collect data in order to fulfil a variety of obligations, and we ensure that those sharing data with us are aware of what information is mandatory and what is optional in order for us to fulfil those different obligations.
Under the terms of the GDPR, we collect and process this data on one or more of the following bases:
- Consent: for example, when you provide us with your email address and formally opt-in to receive marketing communications from us
- Contractual obligations: We hire fitness facilities for course delivery, and at times must share the names of the course attendees for entry purposes
- Legitimate interests: for example, in order to assist with complaints or appeals
- Legal obligations: for example, to assist us and / or law enforcement agencies with fraud investigations
Who do we share your data with?
We take all reasonable steps to ensure that personal data is suitably protected and can only be accessed and processed by those with a legitimate reason to do so. Aside from the relevant BISMA staff, personal data may be shared with the following third parties:
- The awarding body for the qualification being studied (e.g. Active IQ, YMCA Awards, Highfields)
- Facility management (for the different sites we deliver courses)
- Law enforcement agencies, in the event that we are required to assist with legal proceedings
How do we protect your data?
We use a combination of organisational and technical methods to protect your data from unauthorised access and / or accidental loss. Your information is stored securely using password protected encrypted technology, and / or locked in filing cabinets at our offices.
Any personal information that you voluntarily post via public platforms (for example, in a whats app course group, or on the BISMA eLearning platform) may become accessible to others. We cannot be held responsible for any personal information you have shared in this way, so you are advised to exercise caution when deciding when and where to share your information.
How long do we keep your data for?
We retain data for as long as is required to fulfil our ongoing regulatory, quality assurance and / or legal obligations, for a minimum of three years. For example, learner data will be retained beyond the end of a course, in case its required for quality assurance, audits, complaint handling, appeals and / or legal proceedings.
Please refer to the ‘How to contact us’ section if you feel that we are retaining your data for longer than necessary and wish to exercise your “Right to erasure”.
Where you have opted into marketing communications, please note that you can update your preferences or unsubscribe at any time.
How to contact us
If you have any queries or concerns about this Policy or wish to exercise your rights, please email us at firstname.lastname@example.org or submit your communication in writing to:
BISMA – Clarence Centre
6 St George’s Circus
How to lodge a complaint
If you believe that your data protection rights may have been breached, you can lodge a formal complaint by contacting us as described above. If you are unhappy with our response, please visit https://ico.org.uk/concerns to access more information about how to escalate your complaint to the Information Commissioner (if you are in the UK) or to your local data protection supervisory authority.
Changes to this Policy
We may update this Policy from time to time, and when doing so we will include a new version number and date so that you can be sure when that version was introduced.
Version 1 (June 2018)