Our Commitment to your Privacy
Who is SLL?
Stevenage Leisure Limited is a UK registered charity no. 1144638 and a community-based and focused Non-Profit Distributing Organisation (NPDO). We manage various centres across Hertfordshire, Bedfordshire, Cambridgeshire and Rutland. Our head office is located at Stevenage Arts & Leisure Centre, Lytton Way, Stevenage, Hertfordshire, SG1 1LZ. The company is registered in England under company number 3446357.
- Who do we collect personal information from?
- When we collect your personal information and what our legal basis is for doing so
- Which information do we collect and process about you?
- How will we use your information?
- How long do we keep your information?
- Who will my personal information be shared with?
- Personal information relation to children
- How will my personal information be protected?
- Your rights to manage your information
- Other websites
- Security precautions
- Who can I contact about my rights over my personal information or any other questions I might have?
Who do we collect personal information from?
We collect and process information from a range of individuals, including:
- those who have become a member of one of our centres or theatres,
- those who have purchased tickets at one of our theatres,
- those who have expressed a strong interest in joining one of our centres or theatres,
- those who have used or have expressed a strong interest in using our services and activities,
- those who are members of or have expressed an interest in joining our swim school
- and those who have visited our sites or website.
When we collect your personal information and what our legal basis is for doing so:
In order to operate our business we need to collect personal information. We are committed to protecting your personal information and will only collect the information if we need to for a specific purpose and providing we have a legal basis, as explained below:
|Legal basis for collecting your personal information||Reason for collecting and using your information|
|Contract||When you join one of our centres or theatres or book an activity for yourself or a member of your family we collect and store personal information in order to provide you with services.
When you pay for a membership, other service or purchase by credit card we collect your credit card details in order to process that transaction.
|Legitimate Interests||When you join one of our leisure centres we collect personal information in order that we can provide a personalised service tailored to your health and fitness goals and provide information that may be of interest to you.
When you join one of our theatres we collect personal information in order that we can provide a personalised service based on the performances you have attended and provide information that may be of interest to you.
We also collect personal information to ensure your health and safety when using our facilities and to get in contact with your emergency contact if needed.
If you have expressed a strong interest in joining one of our centres or using our services and activities, we will collect and use your personal information in order to contact you about it.
When we capture your image on CCTV for prevention and detection of crime, safeguarding staff and visitors and ensuring compliance with health and safety procedures.
We are sometimes required to collect information about your ethnicity and other sensitive data in order to provide aggregated reports to your local authority or commissioning group. This information is used only for statistical purposes and is always kept secure.
|Consent||When you opt-in to our Physical Activity Referral Service we collect information about any health or disability conditions you may have.
When we take photos or film of people who are easily identified in order to promote our service we will collect your personal information and share it with our designers and selected promoters.
We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions.
In order to provide our services to you we process ‘special category information’. This is more sensitive personal information such as health and ethnicity.
We collect health information to ensure we are offering you the right services and so that your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer other services. We rely on your explicit consent to do this. We take extra care to ensure any special category information you share with us is kept secure and is only used for the purpose for which it was given.
|Legal Obligation||We have to pass on your information if we think you or your family, or someone working with you could come to harm. We will do this in line with our Safeguarding for Childcare Professionals policy.
If you make a data subject request under the DPA 2018 or GDPR 2018 we will collect your personal information in order to comply with the law.
We have a legal obligation to cooperate with the NHS test and trace service.
Special category information
Where the information we process is special category information, for example your health information, the additional basis for processing that we rely on under the GDPR is:
• Article 9(2) (a) Explicit consent
Where the special category information is ethnicity, the additional basis for processing that we rely on under the GDPR is:
• Article 9(2) (j) Archiving, research and statistics (with a basis in law)
In addition we rely on processing conditions at Schedule 1 part 1 paragraph 8 of the DPA 2018. This relates to the processing of special category information that is necessary for the purposes of equal opportunities monitoring.
Which information do we collect and process about you?
|Contact with SLL||Personal Information we may collect and process|
|When joining one of our centres or booking an activity:||Name, date of birth, contact details, bank details*, ethnicity, health** and fitness goals, interests, any relevant medical information, emergency contact, proof of ID
If you attend the activity: contact details, time, date and venue of session/activity for NHS Test and Trace.
|If you book any of our child activities or services including our play scheme, crèche, parties or swim school:||Child’s name, date of birth, address and medical information as well as the parent/carer’s name, date of birth, contact details and bank details, emergency contact
If the child attends the activity: parent or carers’ contact details, time, date and venue of session/activity for NHS Test and Trace.
|If you have a Direct Debit mandate in place:||Bank account number and sort code information.
When the Direct Debit mandate finishes we will remove this data from our operational systems within 30 working days.
|If you pay by credit card:||Bank card information at the time we take payment.
This data is processed on Payment Card Industry Data Security Standard compliant banking systems.
|If you visit our website, buy a membership online or book a course or session online:||Email address, online account password, IP address, contact details.
If you attend the course or session: contact details, time, date and venue of session/activity for NHS Test and Trace.
Please see below for information about cookies and information about other websites.
|When you use any of our facilities:||Usage information, health and fitness related data.
If you attend the course or session: contact details, time, date and venue of session/activity for NHS Test and Trace.
If you have a corporate membership paid by your employer we may share your usage information with them. We will never
|If you opt-in to our Physical Activity Referral Service or other health programme||We will use information about any health or disability conditions** you may have in order that we can devise an appropriate activity programme for you.|
|If you opt in to receiving marketing material or newsletters from us||Contact details.
You can opt out of this at any time.
|If you contact us||A record of your contact information and enquiry (so we can reply if necessary)|
|If you express a strong interest in joining one of our centres or using our services and activities||Name, contact details. (If your interest has been in a child’s activity we will also collect child’s name and date of birth)|
|When you visit any of our facilities||CCTV images (for the prevention, identification and reduction of crime). For more details of how we record, use and store images on CCTV please ask to see our CCTV Code of Practice.
Name, telephone number and email address, date and time in and out to be shared with NHS Test and Trace.
|When you provide customer feedback:||Name, contact details, opinions|
|If you exercise your data subject rights under the DPA 2018 or GDPR 2018||Name, contact details|
**We ask for any relevant personal health data when you register and signing up for our services. We collect this information to ensure we are offering you the right services and so that your progress can be tracked by yourself and us. We may ask you for information about your health in order to recommend appropriate exercise regimes or offer other services.
How will we use the information about you?
|When information is collected by SLL||How information is used|
|When you join one of our centres or book an activity:||Your information is used to ensure you get the most benefit from our services.
It is used to set up, verify and manage your membership/activity, create tailor-made programmes, allow you to track your workout progress and to verify which activities you have undertaken.
It is used to get information from credit reference agencies and fraud prevention agencies where necessary.
It contributes to equal opportunities monitoring (your information will be anonymised so no one can identify you).
It is used to ensure our staff are aware of any health or disability conditions
We are mandated by law to share it with NHS Test and Trace in order to minimise transmission of the COVID-19 virus.
|If you pay by Direct Debit mandate or pay by credit card||To take payments for your membership or for goods/activities/services purchased.|
|If you opt-in to our Physical Activity Referral Service||We will use information about any health or disability conditions you may have in order that we can devise an appropriate activity programme for you.|
|When you and your family use our services:||Your information about which facilities you have used is used to:
|When children are booked onto our services:||Your child or children’s information is used to set up their membership/activities.
Their parent/carer details are used to verify and manage this membership/activity on their behalf.
Emergency contact details and medical information is collected so staff can respond to the best of their ability in case of emergency.
Inform NHS Test and Trace if requested if you or your child has attend one of our Centres after someone has visited who has subsequently tested positive for COVID-19.
|If you express a strong interest in joining one of our centres or using our services and activities:||We will contact you to give you more information about the service/activity/membership you have expressed an interest in.|
|When you provide customer feedback:||To improve our services. If you have provided your contact details and would have given your consent to be contacted we will be in touch to discuss anything you may have raised.|
|If we have a legal obligation to share your personal information:||We have to pass on your personal information to the relevant authorities if we think there is a serious risk to you or your family, or someone working with you.
We have to pass on your personal information to statutory authorities if requested, such as HMRC and NHS Test and Trace.
How long do we keep your information?
Your personal information will only be kept for as long as it is needed. Once your personal information is no longer needed it will be securely disposed of. Information collected for the NHS contact and trace will be kept for a maximum of 21 days.
Who has access to your information?
SLL will never sell your personal information. However we may share your personal information with third parties in the following situations:
|When SLL shares your information|
|Processing your membership application||We may send your personal information to credit reference agencies and fraud prevention agencies where necessary.|
|Taking payments for sessions/performances||In order to process your payment for any bookings we may share your details with a booking system and an organisation that manages Direct Debit collections.|
|Corporate memberships||If your employer pays for your membership we may share your usage data with them.|
|Ensuring your safety, and the safety of others, and complying with the law||We may share your information if we have a legal duty to do so.|
|Marketing our services||We may share your mobile phone number or email address with marketing companies if you have given us permission to do so.
You can opt-out at any time by ‘unsubscribing’ which is included in all our texts and emails to you.
|Providing reports for various funding bodies||As a condition of the funding we receive we may have to provide some personal information as evidence of how effective we are in providing services.
We may also supply them with personal information in order that they can provide services needed.
This information will be anonymised so you won’t be able to be identified from the information given.
If you do not want your personal information to be included in this reporting please contact email@example.com
|Providing contact information to NHS test and tract||If a contact tracing exercise is in progress we will share your details with the NHS contact tracing service if relevant, who will contact you separately for further information.
If you are under 18 years old, we will contact you by phone wherever possible and ask consent from your parent or guardian to continue the call.
A list of the types of organisations (data processors) and the personal information we share with them can be found in Annex A.
A list of the various organisations SLL operates as a data processor, data controller or joint data controller with can be found in Annex B.
Personal information relating to children
Our services are used by people of all ages. SLL accepts website bookings and enquiries and collects personal information from individuals. Children aged under 16 years must have a parent or guardian’s consent before providing personal information to us. We will not collect any personal information without this consent.
How will my personal information be protected?
SLL takes information security very seriously. Only authorised staff will be able to access your personal information. SLL has appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
SLL reserves the right to transfer your information to countries outside the European Economic Area. If we do so we will ensure it has the same level of protection that it would have in the EU.
There are also procedures in place to deal with any suspected information security breaches. SLL will notify you and any applicable regulator of a suspected information security breach where we are legally required to do so.
Your rights to manage your personal information
|Your rights under Data Protection regulations||What this means for you|
|Accuracy of information||We will strive to ensure that the information we hold about you is accurate and relevant. If you believe the information we hold about you is out of date or incorrect, please contact us (see below).|
|Seeing your information – subject access request||The Data Protection Act 2018 and the General Data Protection Regulation 2018 give you the right to know what personal information we hold about you in certain circumstances (you can only have access to your own information and any child that you have parental responsibility for aged under 13 years old). This is called a Subject Access Request.|
|Removing your information||If you no longer use our services and products and wish us to delete your personal information we will do this if there are no legal or statutory regulations requiring us to keep this it.|
|Restricting processing||If you want us to stop using your personal information but don’t want us to delete it we will restrict its use unless we have a legal duty to continue to use it, are using it to defend any legal claims or it is needed for safeguarding someone.|
|Objecting to your data being used||You have the right to stop to your personal information being used for direct marketing. You can also object to your personal information being used for statistical purposes, our legitimate interests and for a task being carried out in the public interest. We will consider your request, balancing your data rights with the legitimate interests or public interest of continuing the processing.|
|Transferring your data||In some circumstances, you can ask us to transfer your information to another organisation.|
|Automated decision making||Automated decision making and profiling is a decision made automatically without any human involvement. SLL will only engage with Automated Decision Making and Profiling where it is necessary to enter into, or perform, a contract with an individual, or where it is authorised by law.
The only automated decision making SLL makes is based on member status. There are three levels of activity within member status; active, high risk and inactive. Based on how recently a member has used the centre, their member status will be automatically adjusted.
If you want to contact us about any of these rights please tell a member of staff or contact our Data Protection Officer (details below).
Freedom of Information Requests
You have a right to know about the activities of local authorities, unless there is a good reason for you not to. Some of the services SLL provides are funded by local authorities and some of the information we hold is covered by the Freedom of Information Act.
Anyone can make a freedom of information request – you do not have to be UK citizens, or resident in the UK. Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company.
If you want to make a Freedom of Information request you need to contact the relevant local authority directly to make the request. Please contact our Data Protection Officer (Baronie Shepherd, firstname.lastname@example.org 07785 462 593) for more information if needed.
We use the information gathered from cookies to get an idea of what elements of the website are best performing and what could be improved.
For further information about cookies, please visit www.aboutcookies.org or www.allaboutcookies.org.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However in a few cases, some of our website features may not function as a result.
Changes of business ownership and control
In the above instances, we will take steps with the aim of ensuring your privacy is protected.
We are committed to ensuring the protection of your personal information. Any payment transactions made will be encrypted and protected using SSL technology.
The transmission of non-sensitive details (such as your email address) made via the internet is not guaranteed 100% secure, except where you see the green padlock in the address bar. Although we will do our best to protect your personal data, we cannot guarantee the security of any data transmitted to our site (unless you see the aforementioned padlock icon); any transmission will be at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential.
Who can I contact about my rights over my personal information or any other questions I might have?
Stevenage Leisure Ltd
Stevenage Arts & Leisure Centre
We take any complaints about our collection and use of personal information very seriously.
If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our information processing, please raise this with us in the first instance.
The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights. You have the right to contact them should you wish:
- Report a concern online at https://ico.org.uk/make-a-complaint/
- Call 0303 123 1113
- Or write to:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Annex A – Data Processors
Data processors are third parties who provide certain parts of our services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so.
Our current types of data processors are listed below.
|Type of Organisation||Services Delivered||Personal Information Shared|
|Customer management software providers||Core systems for member information.||Contact details including emergency contact information, customer usage information, medical information|
|Marketing||Design consultants, communications software, marketing automation services||Photographs and videos, contact details, IP addresses|
|Fitness equipment software providers||Enable customers to use machines and track their fitness progress.||Contact details, usage information|
|Health & safety analysis and management provider||Accident analysis and management system||Details of individuals involved in health and safety incidents.|
|Direct Debit management provider||Handles Direct Debit collection||Contact details, bank details|
Annex B – List of organisations that SLL works with as a Data Processor, Data Controller or Joint Data Controller
Data controllers are organisations that commission SLL to deliver services. They may also run services themselves.
Our current data controllers / joint data controllers are listed below.
When SLL processes your details for NHS Test and Trace it acts as a data processor for these organisations.
Bedfordshire East Schools Trust
Shefford SG17 5QS
Central Bedfordshire Council
Shefford SG17 5TQ
Hertfordshire County Council
Hertford SG13 8DQ
Knights Templar School
Baldock SG7 6DZ
North Herts District Council
Letchworth Garden City
Rutland County Council
Oakham LE15 6HP
Silsoe Community Trust
72 Newbury Lane
Stevenage Borough Council
Stevenage SG1 1HN