Customer Privacy Notice

Overview

The Access Card scheme works by Nimbus providing a centralised assessment of a disabled person's evidenced needs whereby we translate detailed personal information into a set of symbols that represent their access requirements. This enables disabled people to quickly and discreetly communicate their needs when visiting a venue.

Nimbus does not share any detailed personal information. Nimbus only enables you to share the symbolic information available as Access Card icons to authorised third parties as outlined in this document.

A little about us…

We are a well-established Social Enterprise which started in 2006, we are run by disabled people for disabled people. In addition to promoting equality and accessibility, we are wholly committed to ensure that your personal data is treated appropriately and that your privacy rights are respected.

We are a registered Data Controller with the Information Commissioner, our registration number is ZA020704.

Your Privacy matters to us:

We appreciate the trust you place in us when sharing your personal data, the security of your data is very important to us. In this notice, we will explain how we collect, use, and protect your personal data. We will also provide information on what rights you have with regards to your personal data and how you can exercise those rights.

We appreciate that the world of data protection can seem a little complicated, so we will try to explain things in a simple and straightforward way.

We collect information from:

• You, when you provide it directly to us either as a new or returning customer
• A guardian or appointed representative
• Online enquiries via our website and google ads

What information we collect:

• Contact details (such as name, address, phone, email)
• Health & disability information (such as details of conditions, capacity, accessibility needs)
• Contact information & legal status of representatives & guardians where appropriate
• Call recordings, apart from where payment is taken over a call
• Optional: Demographic information – such as age, gender, ethnicity etc.
• Optional: Leisure, tourism and event preferences to tailor updates
• Payment information and transaction details is taken through our website/app via Stripe
• Enquiries about services and products
• Any concerns you may have

We will use your personal data to:

• Process your application & assess your suitability for an Access Card – in accordance with our terms & conditions
• Produce and provide your access card
• Notify you of changes, expirations, cancellations in regard to your access card
• Promote services and products in line with your leisure, tourism and event preferences
• Manage the information and keep it secure & up to date
• Process payments and invoices
• Record & review calls and wider correspondence for training and monitoring purposes
• Identify the most appropriate services and opportunities for you
• Assist with your applications and registrations for third parties, such as venues and events, where you choose us to
• Process payments and transactions
• Comply with our legal obligations

Do we have a basis in law to process your information?

We largely process your personal data in accordance with our contractual obligations.

We also process personal information in accordance with our ‘legitimate interests’ this includes considering benefits to the customer and our company…but don’t worry, we respect your privacy rights to ensure that the benefits pass privacy tests before using personal information in this way!

Where it’s appropriate to do so, we will ask for your consent to ensure we are clear on your choices.

We always need to follow the law so there may be some cases where we are legally required to share information with statutory partners & Ombudsman – these are official Organisations like the Police. We’ll tell you more about this in the ‘who we share information with’ section. We have numerous legal obligations, including but not limited to, those that are stipulated under the following laws:

• The Data Protection Act 2018
• The UK General Data Protection Regulations
• The Privacy & Electronic Communications Regulations
• The Human Rights Act 1998
• The Equality Act 2010
• The Consumer Rights Act 2015
• The Safeguarding Vulnerable Groups Act 2006

Can you opt out?

Of course! Wherever we have used your information in line with legitimate interests and consent you will usually be able to opt out by emailing cards@accesscard.org.uk.

There may be some cases where we have to hang on to some information – we explain this in the ‘information we keep’ section.

Who we share information with:

Statutory partners for investigations and audits such as the Police, the Information Commissioner and so on.

Subcontracted organisation & individuals that we formally engaged in the development and hosting of our systems.

Courts and Tribunals where necessary.

Where appropriate, within the Access Card app, we promote details of our trusted partners' offers, services and products.

In limited circumstances we may share information with a local authority for example we currently work with Croydon City Council for the disabled children’s registration scheme.

Any third party ticket sites are authorised to validate your access information via an API. This is only possible by authorised providers, and to do so you must provide them with your forename, surname and card ID. This acts as consent for them to pull your Access Card symbols into their systems.

With the correct information, the additional information we share back to the provider is your face photograph (for validation purposes), and your allotted access symbols (all of which are shown on the physical Access Card).

International Transfers:

We are committed to ensuring that any international transfer comply with UK Data Protection Legislation. In most cases, it will be necessary for us to implement the appropriate contractual safeguards prior to transferring such data.

We note that customers can sign up to our services from anywhere in the world. Customers can also opt to share their own data with overseas leisure and tourism providers such as Disneyland Paris.

Your rights for personal data:

• ask for a copy of the personal data we hold about you. Assuming your request is reasonable, we will provide a copy of all the personal data we hold about you and you can check that we’re processing it lawfully. This can be done by emailing dpo@nimbusdisability.com and we will respond with some security questions before sending any information to your postal address as per your application.
• ask us to correct the personal data that we hold about you
• ask us to delete your personal data. This one’s a little tricky! If, for some reason, we still hold your data, but without good reason, at your request we’ll delete it, there may be certain reasons why we need to hold on to information but we will explain these
• object to us processing your personal data. This applies where we’re relying on a “legitimate interest” of ours or a third party, and you have a situation which makes you want to object to us processing your data.
• ask for the restriction of the processing of your personal data. This means you can ask us to suspend the processing of personal data about you
• ask for the transfer of your personal data to you or another data controller if the processing is based on consent or contract – and you provided that information to us
• withdraw consent for processing – we’ve mentioned this above in the ‘can you opt out?’ section
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically. We don’t make automatic decisions, we carefully reach decisions about you and your information

Information we keep:

We keep your personal data for as long as we have to and always do this in line with data protection laws. We don’t want to keep your data any longer than we need to!

We store information securely, we mainly keep this digitally on our protected devices, we may also keep paper records for a certain period of time but don’t worry we’ll keep these secure as well.

For more information please refer to our customer retention schedule below.

Have some privacy concerns or questions?

Our Data Protection Officer is Mark Briggs

You can email: dpo@nimbusdisability.com

Or call: 0330 808 5108

Or write to: Nimbus Disability, Suite GB, Pentagon House, Sir Frank Whittle Road, Derby, DE24 4XA

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email icocasework@ico.org.uk

Cookies Policy:

We do not set any cookies on our websites (accesscard.online or nimbusdisability.com). In our Access Card app, we set one session cookie containing a randomised number that is used to keep the user logged in after closing the app.

When was this policy last updated?

April 2024.

Nimbus Disability, CredAbility & Access Card - Retention Schedule

All Information must be kept in accordance with this retention schedule. In the event that employees identify any discrepancies or areas which are not covered by this retention schedule this should be promptly reported to the Data Protection Officer for review.

• Customer records
  • A1: General enquiries around services and products: 6 years from last contact. Limitation Act 1980
  • A2: Complaints and incident records: 6 years from last contact. Limitation Act 1980
  • A3: Data Protection Requests and correspondence: 6 years from last contact. Limitation Act 1980
  • A4: Application for access card: For the life of the application, 6 years from expiry/cancellation of card or non-eligibility decision. Terms & Conditions, Limitation Act 1980
  • A5: Distribution lists/ Contact databases: 2 years from last contact, data may be deleted if an individual has opted out or if a valid request to object/erase or restrict has been received. Business Need, Data Protection Act 2018, ICO Guidance
  • A6: Customer feedback and surveys (where not a complaint): 2 years from last contact, data may be deleted if an individual has opted out or if a valid request to object/erase or restrict has been received. Business need, Data Protection Act 2018, ICO Guidance
  • A7: Marketing records: 6 years from last use. Limitation Act 2018, Privacy and Electronic Communications Regulations, Data Protection Act 2018
  • A8: Call recording: 6 months from creation of the record unless the record relates to an incident or complaint in which case the relevant period retention will apply. Business need.
• Corporate Records
  • B1: Audit records: 6 years from conclusion of audit/issue of audit report. Business need & applicable legislation/standards, which may include: Financial regulations, data protection laws/cyber security standards, payment card industry standards, equality legislation.
  • B2: Policies, Procedures and contracts: 6 years from expiry. Limitation Act 1980
  • B3: Payment information & financial transactions: 6 years from transaction. Limitation Act 1980
  • B4: Corporation records: The lifetime of the company. Company laws and financial regulations
  • B5: Company accounting records – excluding payroll records: 3 years. Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006.
• Employment records
  • C1: Disciplinary Management of staff conduct: Records of formal disciplinary actions in employee files. Retain both paper and electronic for review 6 years after last action. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C2: Grievances Management of staff grievances: Records of formal grievances in employee files. Retain both paper and electronic for review 6 years after last action. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C3: Staff Health and Safety: Individual health records: Retain until employee aged 100. Examination, testing, monitoring and control records: Review 5 years after last action. Accident books and ill health reports: Destroy 3 years after closure. Training, guidance and instructions: Review 3 years from date superseded. The National Archives Retention Scheduling: Employee Personnel Records, The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980.
  • C4: Occupational Health: Medicals: Retain until employee aged 100. Procedures, events, employee assistance schemes: 7 years from date superseded. Schedules: Destroy 3 years from the end of the financial year to which the records relate. The National Archives Retention Scheduling: Employee Personnel Records, Best Practice, Employment legislation, Limitation Act 1980.
  • C5: Trade Union Agreements: 10 years after agreement is not effective. Best practice, Employment legislation, Limitation Act 1980.
  • C6: Employee Files: Retain until employee age 100. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C7: Records of recruitment exercises: Recruitment exercises: Review 6 months from end of recruitment exercise. Application forms: Destroy after 6 months. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C8: Conditions of employment: Review 6 years after date superseded. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C9: Payroll Administration: Salary ledger records: Review 6 years from the end of the financial year to which they relate. Payroll sheets: Review 2 years from the end of the financial year to which they relate. Individual employees personal payroll history: Retain until employee aged 100. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records.
  • C10: Pensions Administration: Retain until employee aged 100. Employment legislation, Limitation Act 1980, The National Archives Retention Scheduling: Employee Personnel Records, Best Practice adopted by Governmental Agencies.
  • C11: First Aid Training records: 6 years after employment. Health and Safety (First Aid) Regulations 1981, Employment legislation, Limitation Act 1980.
  • C12: Fire warden training: 6 years after employment. Statutory authority: Fire Precautions (Workplace) Regulations 1997, Employment legislation, Limitation Act 1980.
  • C13: Maternity/Paternity Records: 6 years after the end of the tax year in which the maternity/paternity period ends. The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999, Employment legislation, Limitation Act 1980.
  • C14: Medical / Self Certificates – unrelated to industrial injury: 6 Years. Limitation Act 1890.
  • C15: Internal Communication channels: 1 month. Business need – internal comms should not be used to document official business decisions or discuss personal data relating to employees or customers.