This privacy policy sets out how Active Luton uses and protects any information that you give Active Luton. It includes data captured in our centres, through our programmes and services and on our websites including:
www.activeluton.co.uk; www.beactivebeds.co.uk; www.lutonsportsnetwork.com; https://www.lutonlibraries.co.uk
Any references made to Active Luton in this policy also includes Be Active and any services offered by them.
Active Luton is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using an Active Luton service; you can be assured that it will only be used in accordance with this Privacy Policy.
Active Luton may change this policy from time to time by updating the information on the Website You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from the review as noted in the Version Control date.
As a Community Wellbeing Trust, Active Luton’s mission is to make a positive impact on the health and wellbeing of its community, inspiring, motivating and offering opportunities for people of all ages, backgrounds and abilities to learn and take action to improve their life chances.
Active Luton runs facilities and provides a wide range of high-quality programmes and activities, all of which enable local people to:
• participate in physical activity
• improve their health and wellbeing
• enhance their education and skills
• create career opportunities
Active Luton is committed to being inclusive, accessible, and affordable, working closely with partners locally, regionally and nationally and continuously looking to bring the best to its diverse and vibrant community.
All our processes and procedures regarding the collection and distribution of personal data have a key driver to demonstrate a commitment to protecting an individual’s privacy. There are various ways that you might interact with Active Luton, and the information you provide when doing so allows us to improve our services. By using this website and our associated websites (collectively, the “Site”) and by supplying your details to Active Luton, you consent to Active Luton collecting and processing your information.
The aims of this document are to explain:
• What information we collect, and why we collect it;
• How we use that information;
• The categories of personal data collected;
• Your rights as a Data Subject;
• Obtaining your Consent;
• How we protect that information;
• How you can control your information, including accessing, updating and deleting what we store;
• How we share information collected;
• Your rights to lodge a complaint.
Collecting and Sharing Personal Information
Active Luton may collect or record basic personal information (e.g., name, e-mail address, mailing address, phone number) which you voluntarily provide through submitting forms via our Website, through electronic mail, or through other means of communication between you and Active Luton.
Active Luton only collects personal information of a more sensitive nature (e.g., bank account details or other ID numbers, credit card details and account numbers) where it is appropriate or necessary for conducting business. This information will be collected, stored, accessed and processed in a secure manner. Active Luton may also collect general non-personal information pertaining to users of our site, including IP addresses, source domain names, specific web pages, length of time spent, and pages accessed. This information is collected, among other things, to aggregate statistical information, facilitate system administration and improve the Site and services offered to you.
Active Luton also collects, uses, and discloses identifiable information about individual contacts for Active Luton’s customers (“Business Contact Information”) in the ordinary course of its business for managing and maintaining customer relationships. In particular, Active Luton may obtain the following types of Business Contact Information: name, address, invoice information including bank account information, and order information. Unless otherwise specified or prohibited, Active Luton may share information with affiliates, business partners, service providers, subsidiaries or contractors who are required to provide you with services which you have requested from us.
Active Luton may also post links to third-party websites as a service to you. These third-party websites are operated by companies that are outside of our control, and your activities at those third-party websites will be governed by the policies and practices of those third-parties. We encourage you to review the privacy policies of these third-parties before disclosing any information, as we are not responsible for the privacy policies of those websites.
Using Personal Information
Active Luton uses the information we collect to provide you with services which you request and to improve our existing services and the content of our Site. When you contact Active Luton, we may keep a record of your communication to help solve any issues that you might be facing. Your information may be retained for a reasonable time for use in future contact with you, or for future improvements to Active Luton services. In the event the information you provide to us is an application for employment, that application will be held in accordance with our Document Retention Policy. You have the option to opt-in for further communications from Active Luton.
Active Luton may also use or disclose your personal information when Active Luton believes, in good faith, that such use or disclosure is reasonably necessary to (i) comply with law, (ii) enforce or apply the terms of any of our user agreements, or (iii) protect the rights, property or safety of Active Luton, Active Luton’s users, or others. Active Luton reserves the right to transfer and disclose your information if Active Luton becomes involved in a business divestiture, change of control, sale, merger, or acquisition of all or a part of its business.
Web User Tracking – Use of Cookies, IP Addresses and Aggregate Information
Cookies are a technology that can be used to help personalise your use of a website. A cookie is an element of information that a website can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it or decline at any time. To enable Active Luton to assess the effectiveness and usefulness of this Site, and to give you the best user experience, we collect and store information on pages viewed by you, your domain names and similar information. Our Site makes use of anonymous cookies for the purposes of:
• Completion and support of Site activity;
• Site and system administration;
• Research and development;
• Anonymous user analysis, user profiling, and decision-making.
An Internet Protocol (“IP”) address is associated with your computer’s connection to the internet. Active Luton may use your IP address to help diagnose problems with Active Luton’s server, to administer the Site and to maintain contact with you as you navigate through the Site. Your computer’s IP address may also be used to provide you with information based upon your navigation through the Site.
Aggregate information is used to measure the visitors’ interest in, and use of, various areas of the Site and the various programmes that Active Luton administers. Active Luton will rely upon aggregate information, which is information that does not identify you, such as statistical and navigational information. With this aggregate information, Active Luton may undertake statistical and other summary analyses of the visitors’ behaviours and characteristics. Although Active Luton may share this aggregate information with third parties, none of this information will allow anyone to identify you, or to determine anything else personal about you.
Your Rights as a Data Subject
The Data Subject is the person or persons Active Luton hold any information on and for. As the Data Subject, you can be assured that:
• The Data Subject has the right to Access personal details upon request
• The Data Subject has the right to rectify any inaccuracies within their data
• The Data Subject has the right to have all their personal data erased (right to be forgotten)
• The Data Subject has the right to rectify any processing of their personal data
• The Data Subject has the right to obtain a copy of their personal data in a commonly used format and have it transferred to another controller
• The Data Subject has the right to object to the processing of their personal data
• The Data Subject has the right to object to any automated decision making
• The Data Subject has the right to compensation for damages caused by infringements of the Regulation from the Data Controller or Data Processor
All requests by the Data Subject to petition any of the above Rights should be, in the first instance, raised with the Data Protection Officer by emailing dpo@activeluton.co.uk
Data Protection Principles
Under the General Data Protection Regulation (GDPR) Active Luton is committed to ensuring that:
personal data is processed lawfully, fairly and in a transparent manner.
personal data is collected for specific, explicit, and legitimate purposes.
personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
personal data is accurate and, where necessary, kept up to date, and all inaccuracies having regard to the purposes for which it was collected are erased or rectified at the first opportunity.
personal data is kept no longer than is necessary for the purpose for which it was collected.
personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage is carried out using appropriate technical or organisational methods.
personal data is limited to what is necessary in relation to the purpose for which it was collected, adequate and relevant.
personal data is collected and processed in a legal manner in relation to consent, categories of personal data, contract and legal obligations, legitimate, vital and public interests, and process documentation.
Consent
Giving Consent to Active Luton will only be undertaken where the individuals have:
a genuine choice and level of control over how their data is used.
the right to ONLY opt-in to give consent with no pre-ticked or implied consent options.
been made fully aware of what they are consenting to.
the right to withdraw consent at any time by speaking to a member of staff or emailing dpo@activeluton.co.uk.
the right to know the purpose of collecting and processing their data.
There is the need for Active Luton to collect and process personal data without consent in the fulfilment of its duties and obligations to you, where appropriate. (For example: Personal and banking information will be required to process direct debit payments for membership fee collections).
Active Luton will hold a copy of your consenting action in relation to who consented, when and how you were told. This information will be kept by Active Luton as long as is deemed appropriate.
Special categories of data, defined by the GDPR as data which may be ‘particularly sensitive in relation to fundamental rights and freedoms’ and deserve specific protection, will only be requested for specific and documented reasons. Any special categories of data requested will only follow an affirmative and explicit action by the customer to give consent for this data to be collected.
All third parties who partner Active Luton will be verified as offering a good standard of data security for Active Luton customer information, meeting the necessary requirements for GDPR before any partnership agreement is undertaken.
Collection and Use of Employee Personal Information
We also collect personal information from our employees, casual workers, volunteers and individuals undertaking work experience, and from job applicants (human resources data) in connection with administration of our human resources programmes and functions. These programs and functions include but are not limited to job applications and hiring programmes, employment checks, compensation and benefit programs, performance, review and development processes, training, access to our facilities and computer networks, employee profiles, employee directories, human resource recordkeeping, and other employment related purposes. We may collect personal data from third parties such as health information, references or information from criminal record checks by consent. We normally only seek this information once a job offer has been made. It is the policy of Active Luton to keep all past and present employee information private from disclosure to third-parties, as noted in our Retention Policy.
There are certain business-related exceptions, and they are:
• To comply with local, regional, national contractual legislation requests.
• Inquiries from third-parties with a signed authorisation from the employee to release the information, except in situations where limited verbal verifications are acceptable (see below).
• Third-parties with which Active Luton has contractual agreements to assist in administration of company sponsored benefits.
Prospective employers, government agencies, financial institutions, and residential property managers routinely contact Active Luton requesting information on a former or current employee’s work history and salary. All such requests of this type shall be referred to and completed on a confidential basis by the Human Resources team or payroll department. For written verification of employment requests, information will be provided on the form only when it is accompanied by an employee’s signed authorisation to release information. The form will be returned directly to the requesting party and filed as part of the Human Resources or payroll department’s confidential records.
Security
The security of your personal information is important to us. We follow generally accepted best practice industry standards to protect the personal information submitted to us, both during transmission and once we receive it.
Active Luton uses all reasonable measures to safeguard personally identifiable information, which measures are appropriate to the type of information maintained and follows applicable laws regarding safeguarding any such information under our control. In addition, in some areas of our Sites, Active Luton may use encryption technology to enhance information privacy and help prevent loss, misuse, or alteration of the information under Active Luton’s control. Active Luton also employs industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.
No method of transmission over the Internet, or method of electronic storage, can be 100% secure. Therefore, Active Luton cannot guarantee the absolute security of your information. The Internet by its nature is a public forum, and Active Luton encourages you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from third-party access, and for selecting passwords that are secure.
Monitoring and Enforcement
Active Luton regularly reviews our compliance with our privacy policy. We also adhere to several self-regulatory frameworks in addition to complying with applicable law. If we receive formal written complaints, we will follow up with the person making the complaint. We work with the appropriate regulatory authorities to resolve any complaints that cannot be resolved directly.
Compliance
Active Luton adheres to the European Union ("EU") Data Protection (95/46/EC) and e-Privacy (2002/58/ED) Directives, the Data Protection Act 2018, and the UK General Data Protection Regulations. Active Luton does, for legitimate business reasons, transfer minimal data outside the EU and all/any company in the US will be required to adhere to the GDPR principles and have signed up to the US Privacy Shield.
Data Protection (UK)
Active Luton is registered as a Data Controller under the Data Protection Act: Certificate of Registration number Z927271X.
Information Processor Activities
Active Luton operates as an information Data Controller for our business customers located in the EU. Active Luton’s business customers remain the information controllers with respect to any UK Customer Information that they provide to Active Luton for our provision of services. Active Luton therefore acts in accordance with the instructions of such customers regarding the collection, processing, storage, deletion and transfer of EU/UK Customer Information, as well as other matters such as the provision of access to and rectification of EU/UK Customer Information.
Individuals may contact the Privacy Contact identified below to review any personal information held about them. Active Luton reserves the right to take reasonable steps to authenticate the identity of any such individual seeking access to such personal information. Questions, comments, or access requests regarding EU/UK Personal Information should be directed to the Privacy Contact identified below.
Retention of Personal Data
Active Luton will only continue to hold personal data for a reasonable time to a point where the data is no longer required or used. At such a point, some of the personal data may be retained for a longer period for e.g. statistical and performance analysis, but other data e.g. personal bank details will be deleted once a membership has been cancelled.
Retention periods also exist for data collected and processed for Financial & HR purposes, CCTV imagery, Insurance and Liabilities and to allow Active Luton to undertake its services for customers, commissioners, and stakeholders. All the Retention periods of personal data is noted in the Retention Policy.
Children’s Online Privacy Protection – COPPA
Active Luton routinely collects data on children in order to undertake the delivery of its services. This may include personal information including name, address, date of birth, school, etc. This information will only be used for the purpose for which it was collected. E.g. swimming lessons, holiday activities, library usage.
Parental or Guardian consent is requested for all usage in, for example, junior fitness memberships, for children and adolescents up to the age of 16.
Accessing and Updating Your Personal Information
If you have provided Active Luton with your personal information, you have the right to inspect the information stored by us for accuracy or may request that the information be removed from our records. Active Luton will make all reasonable efforts to comply with such requests except where it would require a disproportionate effort (for example developing a new system or changing an existing practice). We may require that you verify your identity before we act on a request to edit or remove your information. Please direct any questions about your information to the Data Protection Officer dpo@activeluton.co.uk.
Social Media and Third-Party Website Applications
We occasionally use a variety of new technologies and social media options to communicate and interact with customers, potential customers, employees, and potential employees. These sites and applications include popular social networking and media sites, open-source software communities and more. To better engage the public in ongoing dialogue, certain Active Luton businesses use certain third-party platforms including, but not limited to, Facebook, X (formerly Twitter), and LinkedIn. Third-Party Websites and Applications (TPWA) are Web-based technologies that are not exclusively operated or controlled by Active Luton. When interacting with the Active Luton presence on those websites, you may reveal certain personal information to Active Luton or to third parties. Other than when used by Active Luton’ employees for the purpose of responding to a specific message or request, Active Luton will not use, share, or retain your personal information.
• The Facebook privacy policy is available at: http://www.facebook.com/policy.php
• The X (formerly Twitter) privacy policy is available at: https://twitter.com/en/privacy
• The LinkedIn privacy policy is available at: http://www.linkedin.com/static?key=privacy_policy
Services Provided by Contracted Third Parties
Active Luton may share information with third-party organisations that provide specific services on our behalf which enhance our products and your experience with us. These organisations act as a Data Processor under our instructions with the exception of Turning Point in which we act as the Data Processor. They may process data securely outside of the EEA. There is a contract in place with each third-party which includes strict terms and conditions to protect your privacy.
Our current processing partners include but not limited to: Legend Club Management, The NHS, Turning Point, SirsiDynix, SwimTag, Innovatise, Life Fitness/Halo, Coordinate Sport, Jobcentre Plus, Better Impact, Great Place to Work and Leisure Net.
Please note: Use of services provided by our partners will be subject to the terms and conditions and/or Privacy Policies of these third-party organisations. Please see the links to these third-party terms that also apply above and beyond these here:
• Legend Club Management
• SwimTag
• SirsiDynix
• Life Fitness
• Coordinate Sport
• Innovatise
• Better Impact
• Leisure Net
• Crossover
• MiClub
• Turning Point
• NHS
• Great Place to Work
Changes to this Privacy Policy
Active Luton may change this privacy policy from time to time. If this privacy policy changes, the revised privacy policy will be posted at the "Privacy Policy” link on the Site’s home page. In the event that the change is significant or material, we will notify you of such a change by revising the link on the home page to read "Newly Revised Privacy Policy." Please check the Privacy Policy frequently. Your continued use of the Site constitutes acceptance of such changes in the Privacy Policy, except where further steps are required by applicable law.
Contacting Active Luton
Questions regarding this Privacy Policy should be directed to the Data Protection Officer dpo@activeluton.co.uk