Loading

Add Attendee

Parental consent

Please note we request only parents/legal guardians responsible for the child/children complete all registration forms. Registration forms completed by any other party will not be accepted. This is to ensure that we have the correct consent/information required

You currently do not have any courses in your basket. Click here to view our Courses.

FOUNDATION OF LIGHT
SOCIAL MEDIA

50 minutes ago

RT @FA_PEnorth: A great day at Plains Farm Academy in Sunderland supporting @SAFCFoL coach and @afPE_PE L3 PESS learner Tomasz in his Premi…

3 hours ago

RT @LanchesterEP: What a fab day Y2 have had! Tennis, cricket, football and rugby all in one day! Big thanks to @TheRacquetMan @LanchesterC

4 hours ago

From #LittleDribblers (3-5 years) to Soccer Courses and Dance Classes (5-14 years) and Tournaments, we've got somet… https://t.co/MELA5PTCy9

4 hours ago

RT @LanchesterEP: Year 3 have had a fantastic day today. Thank you to @TheRacquetMan @SAFCFoL @ConsettRFC and @LanchesterCC for giving up t…

7 hours ago

Well done everyone, what a score! More practice needed, Mr Mordue ... https://t.co/ODSnbEAXHb

7 hours ago

RT @ALS_Fanzine: The @MANvFAT Football Sunderland league is ready to kick off again and it will be one of the first to ever use the amazing…

7 hours ago

@NorthumbrianH2O They sure are! In the classroom-based session, our youngsters are using interactive Maths activiti… https://t.co/xseCvmgRmr

7 hours ago

#SAFC mascot Samson is also joining in the fun and taking his first look around the @FoL_Beacon! #PLPrimaryStars https://t.co/Sc3a2Nyxph

7 hours ago

We're hosting our FIRST #MathsDay at the @FoL_Beacon with over 200 youngsters from #NorthEast primary schools who a… https://t.co/tY5INhB7Vw

7 hours ago

RT @FoL_Beacon: There is still time to book onto our @SAFCFoL May Half term courses. - 5 to 14 years from 10am to 3pm on Tuesday/Wednesda…

20 hours ago

RT @BringItOnNE: Bring it On 2018 will see over 2000 kids coming through the doors of the @FoL_Beacon to celebrate #Engineering in the regi…

20 hours ago

RT @FolClub: Our u17s are looking for new players to join their u18s squad ahead of the 18/19 season. They train at Silksworth Sports compl…

May 22

RT @Grangetown_PS: Our young footballers are looking forward to the afternoon of 12th July, and their trip to the SoL for the World Cup! We…

May 22

We're also hosting a #CoachesAcademy Information Evening for current Year 11 pupils at @weare_livin #Foundations in… https://t.co/my0kAZzjvP

May 22

SCHOLARSHIP: Our @FoLScholars programme is holding OPEN TRIALS and INFORMATION EVENINGS school leavers during May… https://t.co/ITDsKH4VCO

May 22

RT @SunderlandRTC: Community Support: Great Night last night sharing Girls Talent Work with some Grassroots and Wildcat Coaches 👍🏻 Staff an…

May 22

The draw has been made for our #PLPrimaryStars Schools #WorldCup Tournament at the @FoL_Beacon in July! There are t… https://t.co/NVNwRN6bCm

May 22

RT @FoLScholars: Our #Monkweamouth North Scholars and Ladies Scholars are training in the @FoL_Beacon’s amazing rooftop football barn this…

GDPR: Your Rights

GDPR Statement

On 25th May 2018 a new European privacy law comes into effect that requires all organisations to make changes in line with the General Data Protection Regulation (GDPR), imposing new rules in regards to the collection, processing and security of data linked to EU establishments.

The Foundation of Light and Beacon of Light are proactively working towards meeting the guidelines and standards set out by the information Commissioners Office (ICO) in readiness for the new regulations. To ensure our staff, systems and internal processes reach the levels expected, we have conducted a full and engaged an expert consultant in preparation.  We have published ‘Your Rights’ on our websites from the ICO guidelines.

Within the Foundation of Light family, the Senior Leadership Team is responsible for information security, however in regards to GDPR we have an appointed coordinator and are due to appoint a new Data Protection Officer. Our clients are at the forefront of everything we do in preparation for GDPR compliance. We are also monitored by the Charity Commission and English Football League, HMRC tested and recognised, BACS accredited and their respective authorities.

Our electronic data is held by Pulsant and on SharePoint, who are certified to the required standards for their operating processes.

Extract from the Information Commissioner’s Office

GUIDE TO THE GENERAL DATA PROTECTION REGULATION (GDPR) – YOUR RIGHTS

Individual Rights

The GDPR provides the following rights for individuals:

  1.  The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

Right to be Informed

AT A GLANCE

The right to be informed encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice.

It emphasises the need for transparency over how we use personal data.

IN BRIEF

What information must be supplied?

The GDPR sets out the information that we should supply and when individuals should be informed. The information we supply is determined by whether or not we obtained the personal data directly from individuals. See the table below for further information on this.

The information we supply about the processing of personal data must be: concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

The table below summarises the information we should supply to individuals and at what stage.

What information must be supplied? Data obtained directly from      data subject Data not obtained directly from data subject
Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer    ✓
Purpose of the processing and the lawful basis for the processing    ✓
The legitimate interests of the controller or third party, where applicable    ✓
Categories of personal data
Any recipient or categories of recipients of the personal data    ✓
Details of transfers to third country and safeguards    ✓
Retention period or criteria used to determine the retention period    ✓
The existence of each of data subject’s rights    ✓
The right to withdraw consent at any time, where relevant
The right to lodge a complaint with a supervisory authority
The source the personal data originates from and whether it came from publicly accessible sources
Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
When should information be provided?    At the time the data are obtained Within a reasonable period of having obtained the data (within one month)

If the data are used to communicate with the individual, at the latest, when the first communication takes place; or

If disclosure to another recipient is envisaged, at the latest, before the data are disclosed.

 

Right of access

AT A GLANCE

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

IN BRIEF

  • What information is an individual entitled to under the GDPR?

Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).

  • What is the purpose of the right of access under GDPR?

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

  • Can we charge a fee for dealing with a subject access request?

We must provide a copy of the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

  • How long do we have to comply?

Information must be provided without delay and at the latest within one month of receipt.
We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

  • What if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:

  1. Charge a reasonable fee taking into account the administrative costs of providing the information; or refuse to respond.

Where we refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

  • How should the information be provided?

We must verify the identity of the person making the request, using ‘reasonable means’.

If the request is made electronically, you should provide the information in a commonly used electronic format.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.

The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.

  • What about requests for large amounts of personal data?

Where we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to (Recital 63).

The GDPR does not include an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.

Right to rectification

AT A GLANCE

The GDPR gives individuals the right to have personal data rectified. Personal data can be rectified if it is inaccurate or incomplete.

IN BRIEF

  • When should personal data be rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to third parties, we must inform them of the rectification where possible. We must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

  • How long do we have to comply with a request for rectification?

We must respond within one month. This can be extended by two months where the request for rectification is complex.

Where we are not taking action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.

Right to erasure

AT A GLANCE

The right to erasure is also known as ‘the right to be forgotten’.

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

IN BRIEF

  • When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  1. Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  2. When the individual withdraws consent.
  3. When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  4. The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
  5. The personal data has to be erased in order to comply with a legal obligation.
  6. The personal data is processed in relation to the offer of information society services to a child.

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request.

  • When can we refuse to comply with a request for erasure?

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  1. to exercise the right of freedom of expression and information;
  2. to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
  3. for public health purposes in the public interest;
  4. archiving purposes in the public interest;
  5. scientific research historical research or statistical purposes;
  6. or the exercise or defence of legal claims.
  • How does the right to erasure apply to children’s personal data?

There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments.

When we process the personal data of children, we should pay special attention to existing situations where a child has given consent to processing and then later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent (Recital 65).

  • Do I have to tell other organisations about the erasure of personal data?

If we have disclosed the personal data in question to third parties, we must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.

If we process personal information online, for example on social networks, forums or websites, we must endeavour to comply with these requirements.

As in the example below, there may be instances where organisations that process the personal data may not be required to comply with this provision because an exemption applies.

Example
A search engine notifies a media publisher that it is delisting search results linking to a news report as a result of a request for erasure from an individual. If the publication of the article is protected by the freedom of expression exemption, then the publisher is not required to erase the article.

Right to restrict processing

AT A GLANCE

Individuals have a right to ‘block’ or suppress processing of personal data.

When processing is restricted, we are permitted to store the personal data, but not further process it.

We can retain just enough information about the individual to ensure that the restriction is respected in future.

IN BRIEF

  • When does the right to restrict processing apply?

We will be required to restrict the processing of personal data in the following circumstances:

Where an individual contests the accuracy of the personal data, we should restrict the processing until we have verified the accuracy of the personal data.

Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override those of the individual.

When processing is unlawful and the individual opposes erasure and requests restriction instead.

If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

We may need to review procedures to ensure we are able to determine where we may be required to restrict the processing of personal data.

If we have disclosed the personal data in question to third parties, we must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.

We must inform individuals when we decide to lift a restriction on processing.

Right to data portability

AT A GLANCE

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Some organisations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.

It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

Example
midata is used to improve transparency across the banking industry by providing personal current account customers access to their transactional data for their account(s), which they can upload to a third-party price comparison website to compare and identify best value. A price comparison website displays alternative current account providers based on their own calculations.

IN BRIEF

  • When does the right to data portability apply?

The right to data portability only applies:

  1. to personal data an individual has provided to a controller; where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.
  • How do we comply?

We must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

The information must be provided free of charge.

If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

  • How long do we have to comply?

We must respond without undue delay, and within one month.

This can be extended by two months where the request is complex or we receive a number of requests. We must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where we are not taking action in response to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Right to object

AT A GLANCE

Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.

IN BRIEF

  • How do we comply with the right to object if we process personal data for the performance of a legal task or the organisation’s legitimate interests?

Individuals must have an objection on “grounds relating to his or her particular situation”. We must stop processing the personal data unless: we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.

This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

  • How do we comply with the right to object if we process personal data for direct marketing purposes?

We must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

We must deal with an objection to processing for direct marketing at any time and free of charge.

We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.

This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

  • How do we comply with the right to object if we process personal data for research purposes?

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

  • How do we comply with the right to object if our processing activities fall into any of the above categories and are carried out online?

We must offer a way for individuals to object online.

AT A GLANCE

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

We must identify whether any of our processing operations constitute automated decision making and consider whether we need to update our procedures to deal with the requirements of the GDPR.

IN BRIEF

  • When does the right apply?

Individuals have the right not to be subject to a decision when: it is based on automated processing; and it produces a legal effect or a similarly significant effect on the individual.

We must ensure that individuals are able to: obtain human intervention; express their point of view; and obtain an explanation of the decision and challenge it.

  • Does the right apply to all automated decisions?

No. The right does not apply if the decision: is necessary for entering into or performance of a contract between the organisation and the individual; is authorised by law (e.g. for the purposes of fraud or tax evasion prevention); or based on explicit consent. (Article 9(2)).

Furthermore, the right does not apply when a decision does not have a legal or similarly significant effect on someone.

  • What else does the GDPR say about profiling?

The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their: performance at work; economic situation; health; personal preferences; reliability; behaviour; location; or movements.

When processing personal data for profiling purposes, we must ensure that appropriate safeguards are in place.

We must:

  1. ensure processing is fair and transparent by providing meaningful information about the logic involved, as well as the significance and the envisaged consequences;
  2. use appropriate mathematical or statistical procedures for the profiling;
  3. implement appropriate technical and organisational measures to enable inaccuracies to be corrected and minimise the risk of errors;
  4. and secure personal data in a way that is proportionate to the risk to the interests and rights of the individual and prevents discriminatory effects.

Automated decisions taken for the purposes listed in Article 9(2) must not:

  1. concern a child; or be based on the processing of special categories of data unless: we have the explicit consent of the individual; or the processing is necessary for reasons of substantial public interest on the basis of EU / Member State law.

This must be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard fundamental rights and the interests of the individual.

If you have a query on the data that the organisation retains about you, or you wish to have your data amended or removed, please contact Foundation of Light by emailing info@foundationoflight.co.uk or by calling 0191 5515191.