Privacy notice for all users of ORIAM

Introduction

Your personal data and privacy is important to Oriam.  We could not provide you with our services and fulfil our obligations to you without collecting, holding and using your personal data. This guide explains what we do with your personal information and why, the type of information we gather, how the information is used, and when and why we share information with others.  

This Guide applies to:

  • All users of our facilities, including regular users, customers, members and partners
  • Anyone who uses our website oriamscotland.com, our join@home membership system or who registers at our reception 

Who is the data controller

Heriot-Watt Services Limited, a wholly owned subsidiary of Heriot-Watt University trading as Oriam, is the Data Controller for personal data we hold about you. Oriam is accountable to Heriot-Watt University and as a member of the Heriot-Watt University Group is subject to the University Data Protection Policy. Where we use the term ‘University’, this includes all members of the Heriot-Watt University Group including Oriam. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation (GDPR) and other relevant privacy laws.

What information we collect and use

We gather Personal Information and Anonymous Information from you when you visit our website. “Personal Information” means any information that may be used to identify an individual, including, but not limited to: a first and last name; e-mail address; a home, postal or other physical address (when using services designed to deliver or send items to you) or other contact information necessary to provide a service that you requested. “Anonymous Information” means information that is not associated with or linked to your Personal Information; Anonymous Information does not permit the identification of individual persons.
 
We collect and hold personal information in all formats for the purposes set out in this guide.
  • Name and address;
  • E-mail address
  • Financial information
  • Goods or services provided;
  • Visual images e.g. on a membership card

If you purchase through our website, we will record your billing address, however we do not record your payment card details.

If you email us directly via an email hyperlink or contact form to provide us with feedback or to ask us a question regarding the site, we will record any information contained in such email.

If you fill out a form on the site, which asks for your personal information, we will record your contact information and other fields within the form.

Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also known as special categories of data under GDPR, or protected characteristics under UK human rights law which may include:

  • Age
  • Disability
  • Physical or mental health
  • Pregnancy and Maternity
  • Gender

Why we collect and use your personal data

We collect information about you in order to process your requests such as sending you our newsletters, managing your enquiry or your purchase of a product or service and managing your participation in one of our activities.
 

What is our legal basis?

  • For most of these activities, we need to process your data to fulfil a contract or service agreement you have entered into with us
  • If you register your interest in receiving information about membership services e.g. sports facilities, you can opt into communication about these and withdraw your consent to them at any time
  • Where necessary for our legitimate interests to improve and promote our services as long as this does not compromise your rights to data protection

For all users and potential users of Oriam: we collect, store and use information about you in order to deliver our services to you. We collect this information when you:

  • Sign up to receive emails
  • Request resources by post
  • Sign up for a training course
  • Participate in one of our activities
  • Join a health walk group
  • View our websites or contact us by email
  • Give us your details at an open day, event or conference
  • Seek your feedback on our environment, terms and conditions, and facilities

For administrative and financial management purposes. What is our legal basis?

  • We need to process your data to fulfil a contract you have entered into with us.

These may include:

  • Fees and payments
  • Catering services
  • Club and facility memberships

To meet our duty of care to you and our legal obligations.  What is our legal basis?

Where this is necessary to:

  • Comply with a legal obligation; this may be under employment, social security and social protection law, immigration law or another statutory duty
  • Protect vital interests in an emergency
  • Exercise or defend legal claims or comply with court judgements
  • Provide medical and health services
  • Protect public health. Comply with legal duties in the substantial public interest e.g. for equality monitoring

Specifically:

  • To meet our legal duty of care to you under health and safety and safeguarding laws
  • To protect your vital interests or someone else’s e.g. in a medical emergency

For public safety and the prevention and detection of crime What is our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences
  • Where required by law
  • For the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images
  • IT security monitoring Fraud prevention and detection
  • Reporting incidents of suspected criminal activity to the police
  • Applying security, welfare and other procedural measures where necessary for the safety and security of our users, staff and the wider University community under health and safety and other relevant laws.

To improve our services and promote ORIAM and the University Group.  What is our legal basis?

  • Where we have your consent
  • Where necessary for our legitimate interests as long as this does not compromise your rights to data protection
  • Where necessary for archiving purposes in the public interest

In order to improve our services we may analyse data about our members’ use of facilities, responses to our promotional campaigns and usage of our website.

We may take photographs, and other images and recordings of users for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of Oriam activities down the years.

For archiving and research What is our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

While always protecting your rights to privacy we will:

  • Retain copies of promotional material and other records of Oriam events and activities community life that may include images and other data about you
  • Produce management and statistical information to monitor and improve our performance.

Who your information may be shared with and why

Unless we are required to do so by law, we do not share your personal data with any third parties. We do not share your information for marketing purposes with other organisations or companies.
 
We may appoint other companies and organisation to deliver services for us that require them to process your information in order to fulfil your requests. For example, we may need to share your information with an events company if you are due to attend one of our events and we are using an events company to manage that event. In the course of operating some of our services, your data may be stored temporarily with our contractors- for example database hosting companies and e-mail distribution services or online payment services. Where we share your information in these circumstances, Oriam has data processor agreements with these contractors to ensure that your data is as secure with them as it is with us. These contractors will not have the right to hold your details or to use them for any other purpose.
 
If there is an occasion on which we would like to share your personal data with a third party for any other reason ,except where we are required to do so by law, we will always let you know and will obtain your consent before doing so.
 
To meet our legal obligations to you and to ther organisations, we will:  
  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency
  • Provide limited information necessary to an organisation with a statutory function, such as the police, Home Office or other Government Agency; Disclosure Scotland or other relevant disclosure services, where this is necessary for law enforcement
  • Meet a statutory or regulatory obligation, e.g. a court order 

How long we keep your personal data

We keep information about you only for as long as needed during the time you use our facility or have a membership with us and meet our legal obligations and rights. We keep a very limited record of our activities for archival purposes. Otherwise, all your personal data is destroyed securely no later than 6 years after you cease to be a member of Oriam. Read more about how long and why we keep your personal data.

Automated decision making

We do not take any decisions about you that would affect your application and usage of our facilities based solely on automated processing or profiling.

Your rights

You have the right to:

Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request at hello@oriam.hw.ac.uk.  We may make a charge for additional copies of the same information

If you think, we are acting unfairly or unlawfully you can:

Under certain conditions, you also have the right to ask us to:

  • Restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns
  • Erase your information or tell us to stop using it to make decisions about you
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing
  • Provide you with a portable electronic copy of data you have given us

Data Protection Officer and contact details

If you have any questions about what we do with your personal information or your rights under privacy laws, you can contact us via the details at the foot of this page.

Find out more about your rights under privacy law

In our Data Protection Policy and our protect information webpages.

Find out about our Information Security policies and procedures.

On the website of the UK Information Commissioner’s Office.

Key information

Ann Jones

Janette Maison