Last updated: 14 June 2024

Looking for the VFF privacy policy? You can find it here.

This privacy policy describes what information we gather about you, what we use that information for and who we give that information to. It explains why and how we collect and use the information. This privacy policy also sets out your rights in relation to your information and who you can contact for more information or queries.

If you have any requests concerning your personal information or any queries with regard to our processing, please contact our Data Protection Officer at charitysecretary@starandgarter.org. You may also contact us by writing to The Data Protection Officer, Royal Star & Garter, 15 Castle Mews, Hampton TW12 2NP.

This privacy policy consists of the sections set out below. Please click on the section below for ease of navigation.

• Information about us
• Collection of information about you
• Data about children
• Other people’s data
• What we do with your information
• Legal basis for processing your information
• Sharing of your information
• Building profiles of our supporters
• Gifts in wills
• International transfers
• Direct marketing
• Recruitment and employment
• CCTV
• Security of personal information
• Payment card security
• Cookies
• How long we keep your information for

In this privacy policy, references to ‘we’, ‘us’, ‘our’ are references to Royal Star & Garter. We are a registered charity (registration number 210119). We and the Governors of Royal Star & Garter are the “controller” for the purposes of the UK General Data Protection Regulation (“GDPR”). Our ICO registration number is Z5712729.

Depending on how you interact with us, we will need different information about you.

We may collect and process the following data about you:

• Information you give us. You may give us information about you by applying to live in our Homes, submitting an application to work, volunteering for us, donating to us, being a supplier or by corresponding with us by phone, e-mail or otherwise. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information, right to work documentation and personal description. You may also give us information through our website, social media pages, Family Connections, or by entering a competition.
• Sensitive personal data. We sometimes collect and use special category data (sensitive personal data) about our employees, residents, potential residents, users of other services such as Day Care and volunteers. This is defined as information about racial or ethnic origin, political opinions, religious or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions. We collect sensitive personal data to help us monitor equal opportunities, for safeguarding purposes, and to ensure that if you are, or wish to be, a resident, we are able to care for you appropriately.
• Information that you give to third parties. We may receive information about you from third parties. Where we receive personal data that relates to you from a third party, we request that this third party inform you of the necessary information regarding the use of this data. Where necessary, they may refer to this privacy policy.
• Your information may be shared with us by independent fundraising websites such as (but not limited to) Just Giving, Virgin Money Giving or PayPal Giving Fund. These third parties will only do so when you have indicated that you wish to support us and with your consent.
• If you are a resident, or wish to be a resident in our Homes, we may receive information about you from your GP or another medical provider in order to assess your need for, or to provide care for you.
• Technical information when you visit our website, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, geographical location, browser plug-in types and versions, operating system and platform
• We use Google Analytics and Google Signal to measure how you use our website. Google Analytics sets cookies that store anonymised information about how you got to the site, the pages you visit, how long you spend on each page and what you click on while you’re visiting the site. Google Signals makes use of tools to track users across multiple devices and websites who log into their Google account, and we use it to understand the composition of our audience, marketing and as part of our Google Ads campaign.

It is our policy not to request donations or accept orders from children under 18. If we are contacted by anyone under 18, before we collect data from them we will always ask them to obtain the permission of a parent or guardian before we will talk or accept an order.

Where anyone under 18 contacts us about volunteering or work experience in our Homes we will ask them to let an adult know about their application. We will collect information about them only where it is necessary to progress an application to volunteer or work for us and as set out in  “information we collect about you”.

Some of the services we offer allow you to provide the personal data of other people. Before providing anyone else’s data please ensure they are happy for you to do so and under no circumstances must you make public another person’s home address, email address or phone number without their permission.

Family Connections: we ask a resident’s authorised person to identify other relatives who might like to access the portal. We ask them to confirm that potential users are happy to provide their contact details. We do not use data collected for Family Connections to be used for any other purpose.

When you provide personal information to us, we may use it for any of the purposes described in this privacy policy or as stated at the point of collection (or as obvious from the context of collection).

For donors and supporters, we will use the information you provide to:

• request donations from you;
• fulfil your requests – such as provision of information, competition entries, participation in campaigns and donations;
• process donations or other payments and verify financial transactions;
• provide a personalised service to you;
• record any contact we have with you;
• to carry out our obligations arising from any contracts entered into between you and us;
• prevent or detect fraud or abuses of our website and enable third parties to carry out technical, logistical or other functions on our behalf;
• if you have agreed to it, provide you with information that we think may be of interest to you,
• carry out research and analyse the demographics, interests and behaviour of our donors and supporters (including the value of donations) to help us gain a better understanding of them and to enable us to improve our services. This research and analysis may be carried out internally by our employees or we may ask another company to do this work for us.

If you are, or are considering being, a resident, or use our Day Care or Lunch Clubs we may use information you provide to:

• assess and provide the care you need,
• carry out our obligations from any contracts entered into between you and us,
• comply with our legal obligations in providing care to you,
• support joined up care between the Home and the NHS including GP Connect, the National Record Locator, and if you are a resident in our Surbiton Home, the London Care Record
• process payments for our services

If you are a user of our Telephone Friendship Service, we may use your information to:

• allocate you a befriender
• direct you to other services that may be able to help you.

We will also use your information to process and acknowledge any application that you make to work or volunteer for us or apply to live in one of our Homes.

We rely on one or more of the following processing conditions in order to process your personal information:

• our legitimate interests in the effective delivery of information and services to you (provided these do not interfere with your rights);
• to satisfy any legal and regulatory obligations to which we are subject;
• to perform our obligations under any contracts that we have agreed with you; or
• where no other condition for processing is available, if you have agreed to us processing your personal information for the relevant purpose.

We hold and use special category data for the provision of health and social care.

We may share your personal information with our employees, officers or professional advisers where it is reasonably necessary for the purposes set out in this privacy policy.

Third party processors can include:

• mailing houses, marketing agencies, telemarketing companies
• processors of financial payments and receipts
• IT specialists and cloud service providers
• suppliers of technical and support services
• businesses that assist us in providing services to you
• payroll management
• (where you are a resident) your GP and other healthcare providers (NHS or private)
• the National Record Locator and the London Care Record supporting shared care information
• authorities when we are required by law, for example the emergency services when you are injured or unwell and require treatment or the police when investigating an incident
• regulatory bodies who mandate reporting, or where we have a statutory duty to share information or demonstrate compliance.

We only choose partners we can trust. Unless required by law, we will only pass personal data to them if they have signed a contract that requires them to:

• abide by the requirements of the GDPR;
• treat your information as carefully as we would;
• use the information for the purposes for which it was supplied and for no other purpose; and
• allow us to carry out checks to ensure they are doing all these things.

We never sell or share your information to other organisations to use for their own purposes other than as explained above.

Royal Star & Garter was founded with the help of philanthropy, and philanthropy continues to make an enormous impact on our work. Developing a better understanding of our supporters through their personal data allows us to fundraise more efficiently and make better decisions.

We may use profiling and screening techniques, including some automated techniques, such as postcode segmentation, to ensure our communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to better understand the background of the people who support us and helps us to make more appropriate requests to supporters.

In order to better understand your interests and preferences and contact you with the most relevant communications, we may analyse the history of your support to us, as well as geographic, demographic and other information relating to you. We may use additional information from third party sources, such information is compiled using only publicly available data.

The Charity Commission requires us to know where funds come from and we may use a due diligence process to research the origins of significant donations and their donors.

If you object to this, please contact us via the means set out below.

If you have told us that you have left a gift in your will, or are thinking about doing so, we will keep details of this. If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, such as your solicitor), we will make a note of these throughout your relationship with us, as this helps to ensure we direct your gift as you wanted.

Where a donor has passed away and we are in the process of receiving their legacy gift, we will process personal data of individuals involved in the estate administration for the purpose of ensuring our compliance with legal obligations in receiving and using the legacy gift for our charitable purposes. This includes names, addresses and other contact details of next of kin, those involved in administration of the estate, professional advisors and other beneficiaries in a will. Access to this personal data is restricted and stored for as long as necessary to administer our legacy.

Where we would like to process data that is not for the direct purpose of the legacy administration process, we will seek specific consent from an individual – for example, if we would like to remain in contact with a donor’s relative to update them on how the legacy has been used.

Businesses often use third parties to help them host their application, communicate with customers and power their emails. Third party organisations engaged by us to process your personal information for the purposes set out in this privacy policy may be situated outside the United Kingdom and may therefore transfer personal information outside the UK. In order to make these systems and services work we may need to share your data with them. We will have a contract with the third party organisation requiring them to use your information only as instructed by us.

Transfers outside the UK will be only:

• to a recipient located in a country which provides an adequate level of protection for your personal information; and/or
• under an agreement or mechanism which satisfies UK requirements for the transfer of personal data to data processors or data controllers outside the UK, such as standard contractual clauses approved by the European Commission or the US Privacy Shield Framework.

We conduct marketing via post, email, telephone, SMS (text).

Where we are legally required to obtain your explicit consent to provide you with marketing materials, we will only provide you with such marketing materials if you have given consent for us to do so.

We may also send marketing information to you by post if we believe we have a legitimate interest to do so.

Marketing information that you may receive from us includes information about the services we offer, fundraising appeals, competitions, events, Christmas cards, employment, volunteering and information about our work.

Whenever we send you direct marketing/fundraising appeals we will always provide you with a clear method to unsubscribe from receiving further information from us. Every email/SMS message we send will include a link to unsubscribe. If you want to unsubscribe from mailing lists or any marketing, you should look for and follow the instructions we have provided in the relevant communications to you.

If you do not wish to receive emails or marketing communications from us, you can at any time contact us to request that such communications cease. If you choose to unsubscribe from any or all mailings, we may retain information sufficient to identify you so that we can honour your request.

If you want to unsubscribe or change the way we communicate with you, you can do so by:

• emailing donations@starandgarter.org;
• visiting www.starandgarter.org/intouch; or
• calling our Supporter Care team on weekdays between 8.30am-4.30pm on 020 8481 7676.

If you work for us, or apply for a job with us, we will process your personal data, including sensitive personal data, to comply with our contractual, statutory and management obligations and responsibilities.

This data can include, but is not limited to, information relating to your health, racial or ethnic origin, professional qualifications and criminal convictions. In certain circumstances, we may process personal data or special category (sensitive) personal data without explicit consent.

Our contractual responsibilities include those arising from a contract of employment. This includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.

Our statutory responsibilities are those imposed by law on us as an employer. This includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity or paternity pay, family leave, right to work, work permits and equal opportunities monitoring.

Our management responsibilities are those necessary for the way the organisation functions. This includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters and contact details.

More information is available in our Staff Privacy Policy.

Our properties have Closed Circuit Television (CCTV) and you may be recorded when you visit them.

CCTV is used to provide security and protect our residents, staff and visitors. CCTV will only be viewed when necessary (for example, to detect or prevent crime or to trace a missing resident) and footage is stored for a set period of time, after which it is recorded over. We comply with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.

We take all reasonable precautions to safeguard the confidentiality of personal information. We have implemented generally accepted standards of technology and operational security in order to protect personal information from loss, misuse, alteration or destruction.

Only authorised persons are provided access to personal information collected via the website; these individuals have agreed to maintain the confidentiality of this information.

We use secure server software (SSL) to encrypt financial and personal information you input via our website before it is sent to us.

Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.

Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please do not share your password with anyone.

Where you give us money using a bank payment card, we use an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme. This is the stringent international standard for safe card payment processes. As part of our compliance, we ensure that our IT systems do not directly collect or store your payment card information, such as the full 16-digit number on the front of the card or the security code on the back.

Where we collect your payment information from a form you have completed and posted to us, or where you make a payment over the telephone, we destroy any written records the same day.

Our website uses cookies so that we can track how users navigate through our website, in order to enable us to evaluate and improve our website. For detailed information on the cookies we use and the purposes for which we use them please read our cookies policy.

We will keep your personal information only for as long it is required for the purposes for which it was collected, or as required to do so by law. When we no longer need information, we will dispose of it securely, using specialist companies if necessary to do this work for us.

You have certain rights in relation to the personal information we hold about you. In particular, you have a right to:

• request a copy of personal information we hold about you (commonly referred to as a subject access request);
• ask that we update the personal information we hold about you, or correct such personal information that you think is incorrect or incomplete;
• ask that we delete personal information that we hold about you, or restrict the way in which we use such personal information;
• object to our processing of your personal information;
• withdraw your consent to our processing of your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing); and/or
• request portability of your personal information.

If you would like to exercise these rights, please contact the Data Protection Officer. You may be asked to provide the following details:

• The personal information you want to access
• Where it is likely to be held
• The date range of the information you wish to access.

We will need to ask you to confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (30 days). This timeframe may be extended by up to two months if your request is particularly complex.

We may charge for a request to access your information, if permitted by applicable law. For example, we may charge a reasonable fee based on administrative costs for providing further copies of your information.

We are not a ‘public authority’ as defined under the Freedom of Information Act 2000. We will not use our funds to respond to requests for information made under this Act.

For more information about your rights under the GDPR, please visit the website of the Information Commissioner’s Office at https://ico.org.uk/

If you have any questions or complaints about this privacy policy or the way your personal information is processed by us, or would like to exercise one of your rights set out above, please contact us by one of the following means:

Email: charitysecretary@starandgarter.org

Post: The Data Protection Officer, Royal Star & Garter, 15 Castle Mews, Hampton TW12 2NP.

You may also have the right to lodge a complaint with the UK’s data protection regulator, the Information Commissioner’s Office. For further information on your rights and how to complain to the ICO please refer to the ICO website: https://ico.org.uk/.