The Holme Pierrepont Leisure Trust (“the Trust”) and Serco Leisure Operating Limited (“Serco”) are committed to ensuring that your personal information is protected and that we are being transparent about the information we hold about you.
Our website may provide links to third party websites. We are not responsible for the conduct of third party companies linked to the website and you should refer to the privacy notices of these third parties about how they may handle your personal information.
2. Who We Are
- Holme Pierrepont Leisure Trust c/o National Water Sports Centre, National Water Sports Centre, Adbolton Lane, Holme Pierrepont, Nottingham, Nottinghamshire, NG12 2LU
- Serco Leisure Operating Limited (company number: 04687478) based at Serco House, 16 Bartley Wood Business Park, Bartley Way, Hook, Hampshire, RG27 9UZ
The Trust and Serco are each a Controller of your personal data. As the Trust and Serco work together and jointly determine the purposes and means of gathering and using your personal data, we are considered “Joint Controllers” of your personal data.Nottingham County Council
National Water Sports Centre is owned by Nottingham County Council (the “Council”) but is operated by the Trust with Serco as the Trust’s managing agent. The Council will also access and process the personal information we hold about you in relation to our leisure centre services.
3. How Your Personal Data Is Collected
We may collect personal data about you when:
- the personal data is provided to us by you (e.g. when you contact us by email or telephone, when you enter a competition, fill in a survey)
- the personal data is collected in the normal course of our relationship with you (e.g. when you sign up to become a member, make an event booking, make a payment online or purchase products or services);
- the personal data has been made public by you (e.g. contacting the Trust via a social media platform);
- the personal data is received by us from third parties (e.g. parents and guardians, law enforcement authorities, previous managing agents acting on behalf of the Trust);
- the personal data is received from a partner organisation (e.g. a charity, a healthcare referral organisation);
- the personal data is received from trusted suppliers (e.g. payment providers, marketing agencies);
- the personal data is collected via our IT systems (e.g. our website, CCTV surveillance, mobile applications); and
- the personal data is created by us, such as records of your communications with us including complaints.
5. Personal Data Collected
The categories of personal information about you which we may collect and use includes:
- Personal details: title, full name, business or home address (current and historic), telephone and mobile numbers, email address, gender, date of birth, age, signature.
- Family and Friends Information: family and dependents, emergency contacts.
- Public identifiers: photographs, CCTV images and recordings.
- Internal Identifiers: consent forms, membership identification number, loyalty/resident card number.
- Financial, Welfare and Insurance Details: purchase transaction history, financial, bank or credit card information, welfare and benefits information, insurance details including for special event bookings.
- Correspondence: details of referrals, quotes and other contact and correspondence with you.
- Services Usage: service usage statistics.
- permissions, or preferences that you have specified, such as whether you wish to subscribe to our mailing list or agree to our terms and conditions.
- Incident History: health and safety accidents, security incidents, accident information, complaints communications, insurance claims history, reports and notes about health, treatment and care including details about hospital and doctor’s clinic visits.
- Special Category Personal Data: health and medical information, ethnic origin and biometric identifiers.
- Website Access Details: your computer’s unique identifier (e.g. IP Address), the date and time you accessed the Website.
The provision of some information is optional, but, in certain circumstances we will not be able to deliver the services and/or products you have requested if we are not provided with all relevant personal data.
6. How and Why We Use your Personal Data
Data protection and privacy laws requires us to have a “legal basis” or “lawful ground” to collect and use your personal information. Some of the grounds for processing may overlap and there may be several grounds which justify our use of your personal information.
We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may include:
- we have obtained your prior consent, including for direct marketing;
- we need to use your personal information in connection with the performance of a contract with you or to take steps at your request prior to entering into a contract with us; for example, we need your financial details when you sign up to a Direct Debit product;
- our use is necessary for the complying with our legal obligations; for example, in response to requests from government law enforcement authorities conducting an investigation.
- we need to use your personal information for our legitimate interest or those of a third party (and our interests are not overridden by your data protection rights), such as for monitoring service quality and business procedure compliance.
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We carry out balancing tests for the data processing we do based on our or a third party’s legitimate interest and you can obtain information on our balancing tests by contacting us using the details below.
Below is a summary of how we use and the legal basis we rely on to use your personal data (please refer to section 7 below for details about how we handle your special category personal data):
|What we use your personal information for||Our reasons|
|Provision of services: for the administration and delivery of the requested Leisure Centre services to you including processing your membership application or event booking, communicating with you and providing customer service.|
- We have obtained your prior consent;
- The use is necessary in connection with the performance of our contract with you or to take steps at your request prior to entering into a contract with us;
- For our legitimate interests or those of a third party to provide the requested services and respond to any complaints or comments you may send us;
- For our our legitimate interests or those of a third party to support our administrative and business functions; or
- For our legitimate interests or those of a third party to provide an efficient and high quality service to you.
|Pre Exercise Assessments: details collected prior to starting membership and/or an exercise programme with us in order to assess activity requirements.|
- For our legitimate interests or those of a third party to provide information to our insurers; or
- For our legitimate interest or those of a third party to assist with providing safe and professional exercise guidance and programming.
|Fraud detection: to prevent and detect fraud against you or Serco such as providing proof of identity if you request a copy of your data.|
- For our legitimate interests or those of a third partyto minimise fraud that could be damaging for us and for you; or
- To comply with our legal and regulatory obligations.
|Safety: to ensure safe working practices and working environment. |
- To comply with our legal and regulatory obligations; or
- For our legitimate interests or those of a third party by making sure we are following our own internal procedures and working efficiently and safely so we can deliver the best service to you.
|Security: for security purposes, such as preventing unauthorised access and modifications to systems and protecting our staff, premises and vehicles.|
- For our legitimate interests or those of a third party to prevent and detect criminal activity;
- For our legitimate interests or those of a third party to protect the well-being of our staff and ensuring the physical and electronic security of our business, premises and assets; or
- To comply with our legal and regulatory obligations
|IT and website operations: for the operation and management of our websites and IT systems, providing content and communicating with you and ensuring the security and availability of our IT systems. |
- For the performance of our contract with you or to take steps at your request before entering into a contract; or
- For our legitimate interests or those of a third party to operate our websites and IT systems including reporting faults.
|Marketing: to promote our services via by email, telephone, social media, post or in person or otherwise but ensuring that such communications are provided to you in compliance with applicable law.|
- For our legitimate interests or those of a third party for the purpose of promotion; or
- We have obtained your prior consent
|Internal compliance: to ensure business policies are adhered to, such as policies covering security and internet use.|
- For our legitimate interests or those of a third party for the purposes of ensuring we are following our own internal procedures to deliver the best service to you.
|Investigations and complaints management: to detect, investigate and/or prevent breaches of policy, complaints, claims, incidents and criminal offences. |
- For our legitimate interests or those of a third party to detect and protect against breaches of our policies, applicable laws and for the establishment, exercise or defence of legal claims;
- For our legitimate interests or those of a third party to establish the facts in the event of a complaint, claim or query from a caller; or
- To comply with our legal and regulatory obligations.
|Compliance: compliance with our legal and regulatory obligations such as Health and Safety, including maintaining an internal record of compliance.|
- To comply with our legal and regulatory obligations; or
- For our legitimate interests or those of a third party for the purpose of maintaining a record of compliance with our legal and regulatory obligations.
|Legal Proceedings and debt collection: establishing, exercising and defending legal rights, including debt collection procedures.|
- To comply with our legal and regulatory obligations; or
- For our legitimate interests or those of a third party for the purpose of establishing, exercising or defending our legal rights.
- For our legitimate interests or those of a third party to collect any debts you owe us.
|Business Analysis: for business management and operational reasons, such as evaluating, developing and improving our services to you and other customers (which may include contacting you for customer surveys).|
- For our legitimate interests or those of a third party to continually evaluate, develop and improve our products and services as well as the experiences of customers and users of our services, to provide an efficient and high quality service to you.
- For our legitimate interests or those of a third party to develop our business strategies.
|Business Reorganisation: to share with third parties the event of a change of management, sale, merger, reorganisation or similar event.|
- For our legitimate interests or those of a third party to assist with the sale or potential sale, change of management or reorganisation of our business.
|Quality and Training: for quality assurance and staff and supplier training purposes.|
- For our legitimate interests or those of a third party to monitor and assess the quality of our service delivery (including compliance with our customer service standards).
- For our legitimate interests or those of a third party to provide training from time to time to those staff involved in the provision of our services as required in order to evaluate, assess and improve our customer experience and service delivery and protect our business interests.
|Record maintenance: to update and enhance customer records.|
- For the performance of our contract with you or to take steps at your request before entering into a contract;
- To comply with our legal and regulatory obligations; or
- For our our legitimate interests or those of a third party to support our administrative and business functions.
|Research: to conduct market or customer satisfaction research, statistical analysis to help us manage our business such as analysing gym usage or engaging with you to obtain your views on our products and services.|
- For our legitimate interests or those of a third party to provide an efficient and high quality service to you; or
- We have obtained your prior consent.
|Risk management: audit, compliance, controls and other risk management.|
- For our legitimate interests or those of a third party to manage risks to which our business and staff are exposed.
7. When Is Special Category Personal Data Collected And Used?
Special categories of personal data are particularly sensitive and require higher levels of protection. They include information about your health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation, genetic or biometric identifiers and trade union membership.
We may from time to time request that you provide special category personal information. We will primarily collect and use this information in the following scenarios:
- ask you about
- request to record your ethnicity so that we can compare in aggregate our membership base with the local population to ensure we’re representing our local communities;
- some facilities may use biometric information (e.g. facial recognition) as part of an access control system; or
- you may choose to share special category information in your communications with us.
We need to have further justification for collecting, storing and using this type of personal information, in addition to one of the general bases set out in section 6 above. Where required by applicable laws, we will take steps to have in place an appropriate policy document and safeguards relating to the processing of such personal information.
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where:
- we have your explicit consent – including where you voluntarily provide us with that information
- processing is necessary for the establishment, exercise or defence of legal claims; or
- processing is necessary for reasons of substantial public interest such as preventing and detecting unlawful acts of fraud.
We will consider that you have given us your consent to hold your special category data where you have voluntarily provided such information in your communications with us or provided information we have marked as optional but for the avoidance of doubt, we will only use the information for the purpose for which it was received unless otherwise required by applicable law.
Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else's vital interests) and you are not capable of giving your consent, or where you have already made the information public.
8. Direct Marketing
We may use your personal information to send you updates (by email, telephone, push notifications, post or text message) about our services including exclusive offers, promotions or products where you as a consumer have consented for us to do so.
To protect your privacy rights and to ensure you have control over how we market to you:
- At any time you can update or correct your personal profile, or change your preferences for the way in which you would like us to communicate with you, including how you receive details of latest offers or news from us;
- If you have an online account with us, the easiest way to make updates to your marketing preferences and/or change your personal details is to log onto your account.
You can opt out of receiving marketing communications from us at any time by:
- clicking the "unsubscribe" link that you find on any online newsletters or marketing communication you receive;
- disabling push notifications within the setting screen of our mobile app.
- sending us an email to Generalenquiries@serco.com Please ensure your correspondence is marked ‘Unsubscribe: Marketing Contact List’ and include your full name, membership number, email and telephone number to ensure your details are fully deleted from our direct marketing system (please specify whether you would like us to stop all forms of marketing or just a particular type of marketing)
- replying STOP to any of our text messages
- calling us directly and speaking to a member of our team on 0115 982 1212 or in person at the front desk on your next visit.
We will not sell your information, or share with other organisations without your prior permission for marketing purposes. We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you.
We currently have closed circuit television (CCTV) operating on our premises. The information processed may include visual images of personal appearance and behaviours and in certain circumstances various sound recordings of staff, customers and members of the general public (including children) who were in the immediate vicinity of the area under surveillance.
We display signs to inform visitors and staff that they are under surveillance and may be video and sound recorded. This information is kept in secure environments and access is restricted to designated staff.
We retain CCTV recordings centrally for up to 31 days, and for a longer period if they are relevant to an incident, complaint, investigation, legal proceedings or for as long as legally required by regulatory bodies and law enforcement agencies.
10. Children’s Information
We offer classes and activities for children at our Leisure Centre, including swimming lessons. Our services may be booked directly and used by individuals aged 16 years or over. We do not knowingly allow individuals under 16 years of age to provide us with their personal information to become members and use our services without parent or guardian consent. However there may be some information collected, such as CCTV, without parent or guardian consent when a child attends our Leisure Centre.
If a child is under 16 years of age, we will require their parent or guardian to register their child, or provide their written consent for the child to register directly with us, for membership, classes or other activities.
If you are under 16, please do not send any information about yourself to us, including your name, address, telephone numbers, or email address, unless you have your parent's or guardian's permission.
If you are a parent or guardian, the information we will collect from you and process will include your child’s name name, data of birth, age and (optionally) medical information for health a safety purposes. We will require your consent to handle your child’s special category data. In some instances you may voluntarily provide such information in your communications with us or provide that information where marked as optional. For the avoidance of doubt, we will only use the information for the purpose for which it was received unless otherwise required by applicable law. You may withdraw your consent at anytime by getting in touch with us via the details in section 17.
Your child’s information may be utilised on different platforms used by the Leisure Centre to deliver its services, including Legend (our membership system) and CAP2 Solutions (our swimming lesson tracking system). Access to any progress reports about a child will be limited to authorised users.
11. Sharing Your Personal Information With Others
As set out above in section 2, we may share your personal data with the Council, as we operate the Leisure Centre on the Council’s behalf.
We will only disclose personal information to a third party in limited circumstances, or where we are permitted to do so by law. The third parties we may provide your personal data to include:
- other organisations within the Serco group of companies, where such disclosure is necessary to provide you with our services or to manage our business;
- partner organisations, such as charities. In these instances, we will generally provide you with more details at the time your information is first collected.
- other third parties we use to help us run our business, (e.g. marketing agencies, IT support service providers, analysis experts such as Experian, communication platform providers);
- third parties we use to help deliver our products and services to you, (e.g. banks and payment providers);
- third parties approved by you e.g. when you request your details to bwe transferred;
- our professional advisors (e.g. law firms, insurers, auditors, brokers); and
- Government, regulatory and law enforcement bodies where we are required in order:
- to comply with our legal obligations;
- to exercise our legal rights (e.g. pursue or defend a claim); and
- for the prevention, detection and investigation of crime.
The Trust or Serco may also disclose your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business.
We impose data protection obligations on contracted third parties to ensure they can only use your data to provide services to us for the purposes listed above. These third parties cannot pass your details onto any other parties unless instructed to by Serco or the Trust.
12. Transferring Your Personal Information Globally
The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers.
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To achieve this, transfers are limited to countries which are recognised as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights. To this end, we will:
- in the limited circumstances that information is transferred within Serco Group, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
- when transferring personal data to third parties outside the EEA:
- put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
- ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme.
- carefully validate any requests for information from law enforcement or regulators before disclosing the information.
We will co-operate with any regulators as required by law to ensure that we remain transparent about the way we handle your personal information.
13. Security of Your Personal Information
We take precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect your personal information using a variety of security measures including:
- password access;
- data back-up;
- placing confidentiality requirements on employees and service providers;
- providing training to our employees to ensure that your personal data in handled correctly;
- destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and
- secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access.
14. How Long Do We Keep Your Personal Information?
Generally, we will retain your personal data in accordance with any applicable limitation period (as set out in any applicable law), plus one (1) year to allow reasonable time for review and deletion of the information held. This will usually be seven (7) years following the end of our business relationship with you.
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements or to have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings. When no longer necessary to retain your personal information, we will delete or anonymise it.
15. Your Legal Rights In Respect of Your Personal Information
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information (commonly known as the "right to be forgotten"). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the Trust and/or Serco is subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for a number of reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.
- Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling).
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person.
- Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
- Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms.
- Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent (please refer to section 8 for details about withdrawing consent to direct marketing).
Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
If you would like to exercise any of these rights, please submit your requests to: DPOLeisure@serco.com
or call +44 (0)1256 745900.
Subject to legal and other permissible considerations, we will make every effort to honour your request promptly to inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
16. Requests About Your Child’s Information
Children have the same rights over their own personal information as an adult. However, as young children may not understand these rights or are not capable of exercising these right, in some cases it may be appropriate for their parents / guardians to do so on their behalf. We may ask that a you provide information to validate your identity and authority to make the request prior to fulfilling a request.
17. Data Protection Contacts
Serco has a Data Protection Officer (DPO
Data Protection Officer
18 Bartley Wood Business Park
Alternatively, please email DPOLeisure@serco.com
or call +44 (0)1256 745900.
We ask that you please attempt to resolve any issues with us first by contacting the DPO, however you have a right to contact your local supervisory authority
at any time and lodge a complaint (which in the UK is the Information Commissioner's Office). The supervisory authority will then investigate your complaint accordingly.
When someone visits this website we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. If you do not want a cookie you can set your browser to deny it.
to understand how people find our websites, what content they view and how long they stay on the site. This is to enable us to improve functionality, navigation and content for our users. We also use authentication cookies when you are logged into the interactive parts of the website (online bookings, online signup, etc) to personalise your experience ensure your sensitive information is only ever shown to you.
The table below explains the cookies we use and why.
Google Analytics Cookies
|Utmz||Tracks where the visitor came from e.g. search engine or referring page or keyword.|
|Utma||Tracks each users number of visits, first visit, last visit.|
|Utmb and Utmc||Track when a visit starts and ends.|
Cookies for Interactive Features
|App_LGD_Cookie||Monitors whether accessing a page via mobile device (iPhone, Android, Windows Phone, etc...). It will remember if the user accessing via mobile device and will display the mobile optimised website.|
|ASP.Net_sessionID||This authentication cookie is used to understand that the user has logged in to an interactive area of the website.|
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.