Don't know if the following is of any help at all - I'm sure I've still got things to learn on GDPR and different schools seem to have different ideas about it.
We have built our own online booking and admin but currently our parental consent forms (that include the privacy statement) are not part of it - that is, schools download them from our system and email them out to parents, who send them to the school office. Instructors check them over and then hand them back to the office. Our non-school booking does have online details, but depersonalises it after the training date has finished.
Our information governance team agreed the following wording on our consent forms if it's of any help to you, I am currently double-checking if it is still robust enough for GDPR:
"Use of your personal information: the school looks after this consent form. When our Instructors arrive at the school, they will ask to see the consent forms and hand them back to the school staff after having looked at them and before starting their teaching. We use course registers that contain each trainee’s name and the outcomes achieved. We keep completed registers in our office for two years and then dispose of them securely. We never pass personal information on to third parties."
© TABS, powered by microcosm.
Report a problem
The Association of Bikeability Schemes.