Odyssey Privacy Policy

Odyssey’s policy is to respect and protect the privacy of our website users, our guests, our volunteers and our staff. This Privacy Policy sets out what personal data Odyssey may process, how it may be used, and how we protect any information that you give us. This policy has been updated to comply with the new European General Data Protection Laws. We take great care to protect the personal data of anyone who gives us their details.

What information we collect

In order to process your course booking, we collect details from you such as your name, address, contact numbers, email and basic medical information. Once you have given us your details, it is securely stored (see below). Your medical notes will be deleted immediately after your course, but your other contact details are retained for future reference. If you choose not to provide any of the data we require, we may not be able to process your trip.

If you contact Odyssey through our Contact Page, we may collect details from you such as your First Name, Last Name, Email address and any other information you give us. When you browse odyssey.org.uk, we might also collect Usage Data. This helps us to improve the site by monitoring how you use it and respond to any feedback or communications you send us, if you’ve asked us to.

What happens to your information?

At Odyssey, we’re always working to improve our website and services, and so may use this information to better understand your requirements. We may also store your information internally for record keeping, which is then destroyed when it is no longer necessary to keep it.

You have the right to request what data we have about you, and for that data to be deleted (“right to be forgotten”). All present and past participants are given a username and password, so that they can log in to our secure online office, and view what data is held on them whenever they wish. It is only possible to view your own data.

Where is your data stored?

Your data is stored securely online in a separate system to our website. Data collected from other sources such as the main Odyssey website is stored on our local computer systems, web servers, as well as on various third party services we use as part of our IT System (e.g. email or file storage). As such, your information may be transferred to, stored, or processed in the United States where these companies and their servers are based. We are satisfied that all third party providers we use have either their own GDPR Compliant Policy in place, or participate in and have certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework.

We don’t share your information with any other organisations for marketing, market research or commercial purposes. Payment transactions are always encrypted and your payment details are never stored on our servers.

Data Breach Policy

Every care is taken to protect your personal data and to avoid, either accidentally or deliberately, a data protection breach. Odyssey is obliged under the General Data Protection Regulation Directive to have in place a framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. Any individual who accesses, uses or manages data is responsible for reporting data breaches immediately. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.

In the event of a breach, an investigation will be undertaken immediately. The investigation will need to take into account the following:

  • the type of data involved
  • its sensitivity
  • the protections in place (e.g. encryptions)
  • what’s happened to the data (has it been lost or stolen)
  • who the individuals are, the number of individuals involved and the potential effects on the data subject(s)
  • whether there are wider consequences to the breach

The Odyssey Managers will then determine who needs to be notified of the breach. Any incidents will be assessed on a case by case basis; however, the following will need to be considered:

  • whether there are any legal/contractual notification requirements
  • whether notification would assist the individual affected – could they act on the information to mitigate risks?
  • whether notification would help prevent the unauthorised or unlawful use of personal data
  • whether the Information Commissioner’s Office (ICO) should be notified. The ICO will only be notified if personal data is involved. Guidance on when and how to notify ICO is available from their website or /gdpr-breach-reporting-tips-for-local-government.pdf
  • the dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work

Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.

Once the initial incident is contained, Odyssey will carry out a full review of the causes of the breach; the effectiveness of the response and whether any changes to systems, policies and procedures should be undertaken. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring. If deemed necessary a report recommending any changes to systems, policies and procedures will be considered.

Links to other websites

odyssey.org.uk does contain links to and from other websites. This privacy policy only applies to this website, and cannot cover other websites that we link to. It’s important to know that if you go to another website from this one, you read the privacy policy on that website to find out what it does with your information.

This privacy policy was updated: 23rd April 2018.