GDPR Statement

Last updated 19 July 2022

Your personal information and Surrey County Council

  1. Surrey County Council is committed to protecting your privacy when you use our services. Our corporate privacy notice explains in general how we use information about you and how we protect your privacy.
  2. The Cycle Training Team commissioned and uses this bespoke online booking and administration system - https://surreycycletraining.online -  developed by an external company ("Weblaunch Ltd"). This is what you use when making a booking and below we explain how we use the personal information you enter when booking.

What personal information we collect from you

As you complete a booking, we request the following personal information:

  1. Your name.
  2. The name of the child for whom you are booking training.
  3. Your email address.
  4. Data concerning the health of the person you are booking on to the training that could be relevant to the training.
  5. If you are paying online at the point of booking, you will be asked to enter your bank card details after being transferred to Worldpay.
  6. Gender and ethnicity - a 'prefer not to say' option is included.

We also ask some questions relating to you child's current level of skills, the condition of their cycle and whether they will wear a helmet.

Collection of your information

You enter your personal data in order to book training. IP address, user agent, browser and operating system are collected automatically by the system and are viewable by system administrators.

The purposes for which your information is used

  1. Name: to confirm you are the parent or carer of the named child.
  2. Your child's name: to allocate them to a course.
  3. Email: to confirm your booking, notify you of the course to which your child is allocated (if there are several running) and to ask you for your post-course evaluation.
  4. Data concerning health: to adjust the training where necessary and for the Instructor to ensure any required medical aids are being carried.
  5. Gender and ethnicity: to monitor equality of access to the service.
  6. Bank card details: to take payment for your  training.

Sharing of your information

Personal details are viewable by:

  1. Those Instructors who will be running the courses, when they log in to the system, can see your child's name and any information you enter about their health, individual needs, helmet and bike.
  2. Surrey County Council cycle training service administrative staff, , when they log in to the system. They can see the same information as Instructors, plus your email, order number and payment amount. Your card details are not seen by staff.
  3. School staff with password access when  they log in to the system. School staff will allocate enrolled pupils to specific courses.
  4. The system administrator has access to all information excluding your card details. 
  5. Payments are processed via WorldPay - please see here for more information.

Where your information is stored

The personal information you share with us is stored in a database on a live server. A list of pages you visit are stored on a live server in separate log files.

Retention of your personal information

  1. Financial information (including name of person making the payment) is deleted 7 years after order date in line with Surrey County Council banking privacy notice.
  2. Medical and other additional needs information (not including SEND) is deleted 1 day after the last day of training.
  3. SEND information is deleted 6 months after the last day of training. SEND information is kept longer than medical information to allow us to report aggregated, anonymised SEND data to The Bikeabilityu Trust, as aprt of our grant conditions..
  4. Trainee name is deleted 2 years after the last day of training. This is to enable us to supply a replacement certificate if requested within that time.

How information is protected against breaches

The servers are protected with two independent firewalls. All ports excepting those required for operation of a website are closed or access regulated by IP address. All communications with the servers are encrypted to prevent man-in-the-middle attacks. The hosting is cloud-based so there is no single physical presence, however data centres are protected by 24 hour security. The data centres are located in the UK.

How information is protected against losses

Data are backed up daily and stored securely off-site for 1 month. After one month data are destroyed. Cloud-base hosting ensures there is no single point of hardware failure.