Definitions
Policy Statement
Information Stored
Medical Information
Contact Information
Free Trial Students
Staff/Volunteers
Financial Information
Other Information
Information Access
Computers
Mobile and Removable Storage Devices
Cloud Storage
Paper Documents
Sharing Information
Breaches of Data Protection
Staff Requirements
“BMABA” means British Martial Arts and Boxing Association, including anyone employed by or authorised to act on its behalf.
“Contact Information” means email address, postal address, telephone numbers, social media or instant messaging IDs (or similar), or any other piece of information which would facilitate contact with the customer.
“Customer” means someone who has engaged with YMA in some way, such as a Member, ex-Member, or Enquiry.
“Data Protection Officer” means the person responsible for ensuring that YMA conforms to UK data protection legislation, currently Ewan Hewett of YMA.
“Enquiry” means someone who is potentially a Free Trial Student, or has the permission/authority to act on their behalf, who has made a request for YMA to contact them.
“ex-Member” means someone who has previously been a Member, and has either terminated or had their Membership terminated.
“Free Trial” means the period of time for which the person is a Free Trial Student of YMA.
“Free Trial Student” means someone who has attended a class YMA on a free trial basis but has not yet become a Member.
“Member” means someone who has an active agreement with YMA for payment and/or attending classes, or other similar agreement.
“Membership” means the period of time for which the person is a Member of YMA.
“LNZ” means London and Zurich, the company that manage direct debits for YMA.
“Personal Information” means any information that is not Contact Information but directly relates to an individual; including but not limited to, date of birth and medical information.
“Products” means any YMA branded product, including but not limited to sparring equipment, uniform, belts, and sporting equipment.
“Third Party” means YMA, BMABA or LNZ.
“Third Party System” means a system used and/or owned by YMA, BMABA or LNZ.
“Services” means both contact and non-contact martial arts training.
“Staff” means voluntary and non-voluntary individuals, working on behalf of YMA, including but not limited to assistants to the Instructor, Certified Instructors, Licensee’s and support staff, such as the Welfare Officer.
“Chief Instructor(s)” means those people principally responsible for the martial arts disciplines taught by YMA.
“Academy”, “We”, “Our”, or “Us” means YMA.
We take our customers’ privacy seriously and will only use personal information to provide the products and services that we have been requested to provide. The purpose of this policy is to explain:
How data is obtained;
Why data is obtained;
Where it is stored;
How it is used;
Who has access to the data;
When and why data is shared with a third party;
When it is used; and,
When and how it is destroyed.
Under the General Data Protection Regulations there are 6 lawful bases for processing personal and sensitive personal data. These are:
Consent;
Contract
Legal obligation;
Vital interests;
Public task; and,
Legitimate interests.
The lawful basis for processing will differ dependent on the type of data. Therefore, within the type of data defined within this policy, there will be a confirmation of the basis upon which we are processing it.
Any situations or considerations not expressly afforded for by this policy will be at the discretion of the Data Protection Officer to appropriately respond to.
Most data is collected at two points during the customer’s engagement with us: during the Free Trial, and during enrolment. Examples of such data include, but are not limited to:
Medical information relating to the Member/Free Trial Student;
Personal contact information;
Contact information for the Member/Free Trial Student’s next of kin or another emergency contact (whichever the signee of the Student Analysis form provides);
The bank details of the person paying the Member’s tuition; and,
Any other personal data required to either ensure the Member/Free Trial Student’s safety, and/or so that they are licenced and insured to practice martial arts with YMA.
We store the following information for ex-Members for 12-months following the date of termination:
Full-name;
Date of birth (for identification purposes in case we have two individuals with the same name);
Belt ranking; and,
Graduation history.
This is so that if the ex-Member decides to return to YMA, they have the opportunity to resume their training where they left off rather than having to start from the beginning of the belt system.
We require pertinent medical information from all Members before they can join in with any classes, which is why we ask all Free Trial Students to complete a Health Questionnaire prior to partaking in the class. Our reason for processing medical information is on the basis of legitimate interest; we need to ensure that all staff responsible for the safety, first aid and/or management of exercise for the Member/Free Trial Student can be made aware or can gain access to this information.
It is the responsibility of the Member/Free Trial student, or their Parent/Guardian, to inform YMAof any changes to the Member/Free Trial Student’s health which could have an impact on the activities they participate in during a class prior to such activities taking place.
Should an issue arise whereby a Free Trial Student, Member, ex-Member or a Parent/Guardian of one of these individuals, presents a legal challenge to YMA due to an injury or other issue where the medical information provided or not provided is relevant this information must be available.
This includes but is not limited to digital or paper copies of the Member/Free Trial Student’s medical forms, accident books and any letters, emails or other communications relevant to the Member/Free Trial Student’s medical issues.
So that we can adequately defend ourselves against any such legal challenge, copies of all Health Questionnaires completed by a Member/Free Trial Student, or their Parent/Guardian, that declare no medical conditions which have the potential to affect the individual’s ability to participate in any YMA class/event will be stored for a period of 3 years after the termination of their Membership/Free Trial. After such time, they will be permanently destroyed.
Where any Health Questionnaire completed for a Member/Free Trial Student declares a medical condition, YMA will retain copies of all Health Questionnaires completed for the Member/Free Trial Student for 10 years after the termination of their Membership/Free Trial. After such time, only Cobra number and DOB will be retained.
Contact information is relevant to three main categories of customer, plus staff members/volunteers:
Enquiries;
Members;
Ex-Members.
Our reason for processing contact information is on the basis of legitimate interest; we need to be able to contact Enquires and Free Trial Students to discuss their interest in our services, and we need to be able to contact Members, or their Parent/Guardians, about matters that have an impact on the services they use, or our modus operandi.
If a customer or staff member ‘joins’ a social media group created or managed by YMA, YMA will have access to data that is provided. It is the customers responsibility to leave such a group, and YMA accepts no responsibility or liability for any information provided by the customer directly to a third-party provider.
The process for dealing with, and timescales for keeping this information are as follows:
YMA will attempt to contact an Enquiry for three weeks after receiving the request. Once this period has elapsed the lead is regarded as ‘dead’ and further attempts will not be made.
Should contact be made with the Enquiry then it is regarded as ‘live’ and the timescales applicable are managed dependent on the nature of the communication.
YMA will record the date that contact is made (i.e. the initial contact request) and update this each time an Enquiry responds to or initiates contact with YMA as below.
Where the Enquiry requests some time before a subsequent contact, the Enquiry is diarised for the requested date/after the requested time period and the three-week time period starts again from this date;
When follow-up contact is made with the Enquiry, the three weeks timer starts again from this date unless:
The Enquiry states that they no longer wish to be contacted in which case the Enquiry is regarded as dead immediately; or,
The Enquiry books an appointment with YMA. In which case the date of the Appointment becomes the new date from which to count.
Contact information is required for all Members and is kept for the duration of their Membership. This is necessary to ensure we can contact them in case of closure, change of class times, payment issues or other service related matters. We do not send marketing messages via text, telephone, email or post.
Marketing is dealt with through member groups such as Facebook or Mobilize Groups where the customer opts in by joining the Group and contact information is provided directly to the service provider. We do not sign customers up these services or provide our customer information to them, nor is joining a requirement for the Member or their Parent/Guardian.
We keep contact information for the duration of the Membership. Upon termination of their Membership, the Member becomes an ex-Member for the purposes of this policy.
Contact information is kept on file for ex-Members for a period of three months. This is to allow for the Member to return or for us to contact them regarding matters relevant to the termination of their Membership, and other matters deemed important to the individual. After this time contact information is removed from the Member’s record and all copies, both physical and digital, are permanently destroyed.
Where an Enquiry attends an appointment with YMA, they are regarded as a Free Trial Student. Where a Free Trial Student completes their Free Trial with YMA and becomes a Member, their information is dealt with in accordance with the ‘Member’ section of this policy.
Where the Free Trial Student either does not complete their Free Trial, or does not become a Member of YMA, their information is dealt with as outlined in the following scenarios:
The Free Trial Student attends and books a second appointment. The new appointment date becomes the date from which to start the three-week contact rule;
The Free Trial Student attends but fails to book a second appointment. The three-week contact rule starts from the date of last appointment they attended and they are then handled using the same rules as an Enquiry as above in regards to subsequent contact;
The customer enrols with YMA in which case they are now a Member and are dealt with as such.
If at any point the Enquiry or Free Trial Student informs us that they no longer wish to be contacted by YMA, they are immediately regarded as ‘dead’.
Once an Enquiry or Free Trial Student is regarded as ‘dead’ the information provided is kept for one week to allow for the Enquiry or Free Trial Student to respond to our final attempt to contact them or for us to correct an Enquiry or Free Trial Student marked ‘dead’ in error. After this timeframe the data is anonymised. This involves deletion of name, telephone, postal and email address, and any other identifiable information, leaving only statistically relevant information such the source of the Enquiry, age of potential Member and the class(es) they were interested in.
Staff/Volunteers
Staff members and volunteers will have information stored following the same guidelines as customers.
Certain staff members are required to undergo DBS checks. Copies of the results of DBS checks may be shared with YMA and Cobra for the purposes of maintaining their insurance and eligibility to be in contact with children and vulnerable adults. See ‘Other Information’ for further details of how we process information from DBS Certificates.
Financial information is considered to be sort codes, account numbers and credit card numbers. This information will be stored as follows:
Credit card numbers will not be stored at all. Credit card receipts are kept however these are redacted at source (i.e. the receipt only shows that last four digits of the card number);
Sort codes and account numbers are only taken with regards to Direct Debit mandates or to initiate payments (e.g. refunds) to the customer via bank to bank transfer;
Direct Debit Mandates will be stored for seven months after the date of the member becoming an ex-member or changing to an alternative form of payment. This is due to the limitation on Direct Debit Indemnity claims being six months from the date of a payment. Should this time limit change in the future then the time period used by YMA will reflect this – we will retain records for one month longer than the Indemnity Limit;
Payment information for bank transfers will be deleted immediately following a successful payment to the customer unless there is already a need to pay the customer an agreed future payment.
Our reason for processing financial information is on the basis of contract; we need to be able to process your payment details so that we can provide us with the services and products you have requested of us.
Other information which is stored and processed by YMA includes:
LNZ reference number: this number is generated by LNZ. This number will be treated as contact information as it links to the contact information provided by the customer to LNZ once a direct debit mandate is set up;
BMABA number: this number links to the members licence and insurance record with BMABA. It will be kept on file for all current Members. It will be stored for ex-Members until one month after the licence has expired and then deleted. This is to allow for renewal should the ex-Member return in a reasonable time frame.
Details of the expiry of any first aid qualifications for Members so we can prompt them of its renewal. This information is not regarded as Personal Information as it is purely a date and not identifiable to an individual. This information will be dealt with in the same manner as contact information for ex-Members following the termination of the Membership.
Disclose and Barring Service (DBS) certificates: originals or copies of DBS certificates will not be stored without the consent the data subject. Whilst they are a Member, we will retain a note of the SCR number, the date the DBS was checked, and who checked it and approved the check. Upon termination of the Membership, this information will be treated in the same manner as contact information for ex-Members.
Any other information will be assessed to see if it falls under the requirements of data protection legislation and, if it does, will only be kept whilst there is a legitimate need to do so. This document will be updated or appended to include any such information.
Information will be made available only to those staff who reasonably need it and limited to appropriate methods of access.
If a Customer, Parents or Guardians, wish to view the information we hold for them or exercise any of their rights under the General Data Protection Regulations, a written request needs to be made. Any such request should be marked for the attention of Karen Crook, Programme Director, and made either by post to the Academy’s address or by email to hello@yma.ninja.
Selected members of staff will have access to customer information on the computer located at the YMA building. This is to enable them to obtain emergency contact information and medical information and to contact customers in the event of an unexpected closure or other necessary communication.
Selected members of staff who have a legitimate need to may be granted access to this data remotely (see cloud storage) but the following will always apply:
All computers used by YMA will use encryption on hard drives that contain customer data;
All computers used to access customer data will be password or pass number protected;
Pass numbers will be issued to staff on a need-to-know basis not an individual basis in that all staff requiring a certain level of access will be given the same access credentials. Should any member of staff leave the organisation those access credentials will be changed at the earliest opportunity;
Computers will be locked when not in use.
If a Computer is lost, the passwords for all cloud storage services accessed by that Computer will be changed by the end user where the power to do so is with the end user. Otherwise, the passwords will be changed by the Data Protection Officer as soon as it is reasonably practicable to do so (see Breaches of Data Protection below).
Should the PC, laptop or similar device support remote wiping, this facility will be triggered at the earliest opportunity by the end user.
Selected members of staff who have a legitimate need to may be granted access to customer contact information on mobile devices and/or access to cloud storage via mobile device (see Cloud Storage). The following will always apply:
Mobile device policy used by email services will enforce password/pass number or biometric protection on the mobile device where technically possible;
Regardless of the above all mobile device will be made password/pass number or biometrically protected by the end user;
Staff members will remote wipe any device lost or stolen at the earliest possible opportunity and change any passwords directly under their control.
Any data mentioned or alluded to within this policy will not be stored on removable storage devices, unless it is approved by the Data Protection Officer to ensure that it is appropriately encrypted and secure.
Customer data stored in the cloud will be stored only on services declared compliant with current data protection legislation. Currently, our cloud storage system is ‘OneDrive for Business’ provided by Microsoft. Access to this data will be possible from the base computer at the YMA Academy or remotely from computers meeting the requirements specified earlier.
Remote access, controlled by user id/password will only be granted to staff members with a legitimate need and only for as long as that need holds. This will apply to access by computer application, browser, mobile device application or similar.
Customer information is also stored on email/contact services to allow for email communication and telephone directory synchronisation. This service will for the sake of this document be regarded as ‘cloud storage’.
Paper documents will, where practical to do so, be digitised and the originals destroyed once there is no practical need for paper copies. Whilst paper copies are in use the following measures apply:
Paper documents will be transported in a way that they cannot be viewed (such as in an envelope or folder);
Paper documents will not be left unattended except in a secure environment such as a locked office, building or cupboard. Documents may be temporarily stored in motor vehicles or transportable cases for the purposes of transporting them to one of aforementioned secure environments.
YMA will only share information with third parties where that third party has a need for the information. This is advised to members at enrolment and advertised around the Academy building. Further, all such third parties will be asked to confirm that they comply with current data protection legislation and have in place procedures for dealing with shared information in line with said legislation.
Any breach, or potential breach of data protection or this policy, regardless of whether the breach has been dealt with in accordance with the requirements specified above (e.g. remote wiping of phones), must be reported immediately to the Data Protection Officer at YMA. Anyone can make this report.
The Data Protection Officer will ensure any necessary passwords have been changed to ensure cloud services remain secure or change them as soon as it is reasonably practicable to do so, but always within the timeframes required under the General Data Protection Regulations.
The breach (or potential breach) will be recorded appropriately and if necessary, reported as required per current data protection legislation. Where a breach results in the loss of customer information, the customer will be informed in writing by way of email, and where possible verbally, as soon as it is reasonably practicable to do so. Any such communication will include what information has been obtained, who is likely to have access to it and what steps we are taking to recover the data or mitigate the impact of it having an adverse effect on their rights and freedoms.
See YMA Data Breach Policy for a detailed statement.
All staff will be required to read and understand this document and comply with the requirements specified therein before having access to any of the information covered by this policy. They will sign a statement to this effect.
Cookie Policy
This is the Cookie Policy for YMA, accessible from yma.ninja.
What Are Cookies
How We Use Cookies
Disabling Cookies
The Cookies We Set
Third Party Cookies
More Information
What Are Cookies
As is common practice with almost all professional websites this site uses cookies, which are tiny files that are downloaded to your computer, to improve your experience. This page describes what information they gather, how we use it and why we sometimes need to store these cookies. We will also share how you can prevent these cookies from being stored however this may downgrade or ‘break’ certain elements of the sites functionality.
For more general information on cookies, please read “What Are Cookies”.
How We Use Cookies
We use cookies for a variety of reasons detailed below. Unfortunately, in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features they add to this site. It is recommended that you leave on all cookies if you are not sure whether you need them or not in case they are used to provide a service that you use.
Disabling Cookies
You can prevent the setting of cookies by adjusting the settings on your browser (see your browser Help for how to do this). Be aware that disabling cookies will affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionality and features of this site. Therefore, it is recommended that you do not disable cookies.
The Cookies We Set
Account related cookies
If you create an account with us then we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you log out however in some cases they may remain afterwards to remember your site preferences when logged out.
Login related cookies
We use cookies when you are logged in so that we can remember this fact. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.
Site preferences cookies
In order to provide you with a great experience on this site we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page is affected by your preferences.
Third Party Cookies
In some special cases we also use cookies provided by trusted third parties. The following section details which third party cookies you might encounter through this site.
Google Analytics
This site uses Google Analytics which is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics cookies, see the official Google Analytics page.
More Information
Hopefully that has clarified things for you and as was previously mentioned if there is something that you aren’t sure whether you need or not it’s usually safer to leave cookies enabled in case it does interact with one of the features you use on our site. This Cookies Policy was created with the help of the Cookies Policy Template Generator.
However if you are still looking for more information then you can contact us through one of our preferred contact methods:
Email: hello@yma.ninja
VAT Registration Number – 455185381 ICO Registration Number – ZB548978