GDPR Statement

Last updated 19th July 2022

Your personal information and Surrey County Council

  1. Surrey County Council is committed to protecting your privacy when you use our services. Our corporate privacy notice explains in general how we use information about you and how we protect your privacy.
  2. The Cycle Training Team commissioned and uses this bespoke online booking and administration system - https://surreycycletraining.online -  developed by an external company ("Weblaunch Ltd"). This is what you use when making a booking and below we explain how we use your personal information.

What personal information we collect from you

As you complete a booking, we request the following information:

  1. Your name.
  2. The name of the child for whom you are booking training.
  3. Your email address.
  4. Data concerning the health of the person you are booking on to the training that could be relevant to the training.
  5. If you are paying online at the point of booking, you will be asked to enter your bank card details after being transferred to Worldpay.
  6. Gender and ethnicity - a 'prefer not to say' option is included.
  7. We also ask some questions relating to you child's current level of skills, the condition of their cycle and whether they will wear a helmet.
  8. Name and phone number for emergency contact.

Collection of your information

You enter your personal data in order to book training.

IP address, user agent, browser and operating system are collected automatically by the system and are viewable by system administrators.

The basis on which we collect the information

Your personal information enables us to contact you and provide the training requested.

The purposes for which your information is used

  1. Name: to contact you.
  2. Email: to contact you.
  3. Phone number: to contact you.
  4. Data concerning health: to adjust the training where necessary and for the Instructor to ensure any required medical aids are being carried.
  5. Name and phone number for emergency contact: for the Instructor whilst training.
  6. Bank card details: to take payment for your training.
  7. Gender and ethnicity: to monitor equality of access to the service.

Sharing of your information

  1. The web developer has access to all information.
  2. The consent details you entered when booking are viewable by the Instructors for the course when logged in to the system. Instructors cannot see any bank card details.
  3. If you are participating in a "Borrow A Cycle" scheme, we will share your name and contact details with Active Surrey, who supply the cycles.
  4. Payments are processed via WorldPay - please see here for more information.

Where your information is stored

The personal information you share with us is stored in a database on a live server. A list of pages you visit are stored on a live server in separate log files.

No credit card, bank details or any other personal financial information are stored on our servers.

Retention of your personal information

  1. Financial information (including name of person making the payment) is deleted 7 years after order date in line with Surrey County Council banking privacy notice.
  2. Medical and other additional needs information (not including SEND) is deleted 1 day after the last day of training.
  3. SEND information is deleted 6 months after the last day of training. SEND information is kept longer than medical information to allow us to report aggregated, anonymised SEND data.
  4. Trainee name is deleted 2 years after the last day of training. This is to enable us to supply a replacement certificate if requested.
  5. Emergency contact details are deleted one day after the last day of training.
  6. The details of a person on a waiting list are deleted 1 day after they have been assigned to a public training course.

How information is protected against breaches

The servers are protected with two independent firewalls. All ports excepting those required for operation of a website are closed or access regulated by IP address.

All communications with the servers are encrypted to prevent man-in-the-middle attacks.

The hosting is cloud-based so there is no single physical presence, however data centres are protected by 24 hour security. The data centres are located in the UK.

How information is protected against losses

Data are backed up daily and stored securely off-site for 1 month. After one month data are destroyed.

Cloud-base hosting ensures there is no single point of hardware failure.