Last updated: 11 February 2021
If you have any requests concerning your personal information or any queries with regard to our processing, please contact our Data Protection Officer at firstname.lastname@example.org. You may also contact us by writing to The Data Protection Officer, Royal Star & Garter, 15 Castle Mews, Hampton TW12 2NP.
- Information about us
- Collection of information about you
- Children’s data
- Other people’s data
- What we do with your information
- Legal basis for processing your information
- Sharing of your information
- Building profiles of our supporters
- Gifts in wills
- International transfers
- Direct marketing
- Recruitment and employment
- Security of personal information
- Payment card security
- Retention of personal information
- Your rights
Information about us
Collection of information about you
We may collect and process the following data about you:
- Information you give us. You may give us information about you by applying to live in our Homes, submitting an application to work, volunteering for us, donating to us or by corresponding with us by phone, e-mail or otherwise. The information you give us may include your name, address, e-mail address and phone number, financial and credit card information and personal description. You may also give us information through our website, social media pages, Family Connections, or by entering a competition.
- Sensitive personal data. We sometimes collect and use “sensitive personal data” about our employees, residents, potential residents and volunteers. This is defined as information about racial or ethnic origin, political opinions, religious or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions. We collect sensitive personal data to help us monitor equal opportunities, for safeguarding purposes, and to ensure that if you are, or wish to be, a resident, we are able to care for you appropriately.
- Technical information when you visit our website, including the Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, geographical location, browser plug-in types and versions, operating system and platform
- We use Google Analytics and Google Signal to measure how you use our website. Google Analytics sets cookies that store anonymised information about how you got to the site, the pages you visit, how long you spend on each page and what you click on while you’re visiting the site. Google Signals makes use of tools to track users across multiple devices and websites who log into their Google account, and we use it to understand the composition of our audience, marketing and as part of our Google Ads campaign.
It is our policy not to request donations or accept product orders from children under 18. If we are contacted by anyone under 18, before we collect data from them we will always ask them to:
- obtain the permission of a parent or guardian before we will talk or accept an order and
- let an adult know before they use our sites to obtain information about fundraising or supporting our work.
Other people’s data
Some of the services we offer allow you to provide the personal data of other people (e.g. providing a friend’s name for event tickets you have purchased or tagging people on photos on social media). Before providing anyone else’s data please ensure they are happy for you to do so and under no circumstances must you make public another person’s home address, email address or phone number without their permission.
Family Connections: we ask a resident’s authorised person to identify other relatives who might like to access the portal. We ask them to confirm that potential users are happy to provide their contact details. We do not use data collected for Family Connections to be used for any other purpose.
What we do with your information
For donors and supporters, we will use the information you provide to:
- request donations from you;
- fulfil your requests – such as provision of information, competition entries, participation in campaigns and donations;
- process sales transactions, donations, or other payments and verify financial transactions;
- handle orders, deliver products and communicate with you about orders;
- provide a personalised service to you – this could include customising the content and/or layout of our communications for individual users;
- record any contact we have with you;
- to carry out our obligations arising from any contracts entered into between you and us;
- prevent or detect fraud or abuses of our website and enable third parties to carry out technical, logistical or other functions on our behalf;
- communicate with our donors and supporters; and
- if you have agreed to it, provide you with information that we think may be of interest to you, carry out research and analyse the demographics, interests and behaviour of our donors and supporters (including the value of donations) to help us gain a better understanding of them and to enable us to improve our services. This research and analysis may be carried out internally by our employees or we may ask another company to do this work for us.
We will also use your information to process and acknowledge any application that you make to work or volunteer for us or apply to live in one of our Homes.
Legal basis for processing your information
We rely on one or more of the following processing conditions in order to process your personal information:
- our legitimate interests in the effective delivery of information and services to you (provided these do not interfere with your rights);
- to satisfy any legal and regulatory obligations to which we are subject;
- to perform our obligations under any contracts that we have agreed with you; or
- where no other condition for processing is available, if you have agreed to us processing your personal information for the relevant purpose.
Sharing of your information
Your personal information may be transferred to third party service providers who process information on our behalf. These partners may include mailing houses, marketing agencies, telemarketing companies, IT specialists and specialist research firms. The kind of work we may ask them to do includes processing, packaging, mailing and delivering purchases, answering questions about products or services, sending postal mail, emails and text messages, making phone calls on our behalf, carrying out research, or analysis and processing card payments. We only choose partners we can trust. We will only pass personal data to them if they have signed a contract that requires them to:
- abide by the requirements of the GDPR;
- treat your information as carefully as we would;
- use the information for the purposes for which it was supplied and no other purpose; and
- allow us to carry out checks to ensure they are doing all these things.
Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.
We never sell or share your information to other organisations to use for their own purposes other than as explained above.
Building profiles of our supporters
Royal Star & Garter was founded with the help of philanthropy, and philanthropy continues to make an enormous impact on our work. Developing a better understanding of our supporters through their personal data allows us to fundraise more efficiently and make better decisions.
We may use profiling and screening techniques, including some automated techniques, such as postcode segmentation, to ensure our communications are relevant and timely, and to provide an improved experience for our supporters. Profiling also allows us to better understand the background of the people who support us and helps us to make more appropriate requests to supporters.
In order to better understand your interests and preferences and contact you with the most relevant communications, we may analyse the history of your support to us, as well as geographic, demographic and other information relating to you. We may use additional information from third party sources, such information is compiled using only publicly available data.
The Charity Commission requires us to know where funds come from and we may use a due diligence process to research the origins of significant donations and their donors.
If you object to this, please contact us via the means set out below.
Gifts in wills
If you have told us that you have left a gift in your will, or are thinking about doing so, we will keep details of this. If we have a conversation or interaction with you (or with someone who contacts us in relation to your will, such as your solicitor), we will make a note of these throughout your relationship with us, as this helps to ensure we direct your gift as you wanted.
Where a donor has passed away and we are in the process of receiving their legacy gift, we will process personal data of individuals involved in the estate administration for the purpose of ensuring our compliance with legal obligations in receiving and using the legacy gift for our charitable purposes. This includes names, addresses and other contact details of next of kin, those involved in administration of the estate, professional advisors and other beneficiaries in a will. Access to this personal data is restricted and stored for as long as necessary to administer our legacy.
We rely on legitimate interests to process personal data of individuals involved with the supporter and their estate. Where we would like to process data that is not for the direct purpose of the legacy administration process, we will seek specific consent from an individual – for example, if we would like to remain in contact with a donor’s relative to update them on how the legacy has been used?
Transfers outside the UK will be only:
- to a recipient located in a country which provides an adequate level of protection for your personal information; and/or
- under an agreement or mechanism which satisfies UK requirements for the transfer of personal data to data processors or data controllers outside the UK, such as standard contractual clauses approved by the European Commission or the US Privacy Shield Framework in relation to transfers of personal data from the UK to the USA.
We conduct marketing via post, email, telephone, SMS.
Where we are legally required to obtain your explicit consent to provide you with marketing materials, we will only provide you with such marketing materials if you have provided consent for us to do so.
We may also send marketing information to you by post if we believe we have a legitimate interest to do so.
Marketing information that you may receive from us includes information about the goods and services we offer, fundraising appeals, competitions, events, employment, volunteering and information about our work.
Whenever we send you direct marketing/fundraising appeals we will always provide you with a clear method to unsubscribe from receiving further information from us. Every email/SMS message we send will include a link to unsubscribe. If you want to unsubscribe from mailing lists or any marketing, you should look for and follow the instructions we have provided in the relevant communications to you.
If you do not wish to receive emails or marketing communications from us, you can at any time contact us to request that such communications cease. If you choose to unsubscribe from any or all mailings, we may retain information sufficient to identify you so that we can honour your request.
If you want to unsubscribe or change the way we communicate with you, you can do so by:
- emailing email@example.com;
- visiting www.starandgarter.org/intouch; or
- calling our Supporter Care team on weekdays between 8.30am-4.30pm on 020 8481 7676.
Recruitment and employment
If you work for us, or apply for a job with us, we will process your personal data, including sensitive personal data, to comply with our contractual, statutory and management obligations and responsibilities.
This data can include, but is not limited to, information relating to your health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data without explicit consent.
Our contractual responsibilities include those arising from a contract of employment. This includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay, leave, maternity pay, pension and emergency contacts.
Our statutory responsibilities are those imposed by law on us as an employer. This includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits and equal opportunities monitoring.
Our management responsibilities are those necessary for the way the organisation functions. This includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters and contact details.
Our properties have Closed Circuit Television (CCTV) and you may be recorded when you visit them.
CCTV is used to provide security and protect our residents, staff and visitors. CCTV will only be viewed when necessary (for example, to detect or prevent crime) and footage is stored for a set period of time, after which it is recorded over. We comply with the Information Commissioner’s Office CCTV Code of Practice and we put up notices so you know when CCTV is used.
Security of your personal information
We have implemented generally accepted standards of technology and operational security in order to protect personal information from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal information collected via the website; these individuals have agreed to maintain the confidentiality of this information. We use secure server software (SSL) to encrypt financial and personal information you input via our website before it is sent to us.
Although we use appropriate security measures once we have received your personal data, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect personal data, but we cannot guarantee the security of data transmitted to or by us.
Where you or we have provided a password enabling you to access parts of our websites or use our services, it is your responsibility to keep this password confidential. Please do not share your password with anyone.
Payment card security
Where you give us money using a bank payment card, we use an active PCI-DSS (Payment Card Industry Data Security Standard) compliance programme. This is the stringent international standard for safe card payment processes. As part of our compliance, we ensure that our IT systems do not directly collect or store your payment card information, such as the full 16-digit number on the front of the card or the security code on the back.
Where we collect your payment information from a form you have completed and posted to us, or where you make a payment over the telephone, we destroy any written records the same day.
Retention of personal information
We will retain your personal information only for as long it is required for the purposes for which it was collected, or as required to do so by law. When we no longer need information, we will dispose of it securely, using specialist companies if necessary to do this work for us.
You have certain rights in relation to the personal information we hold about you. In particular, you have a right to:
- request a copy of personal information we hold about you (commonly referred to as a subject access request);
- ask that we update the personal information we hold about you, or correct such personal information that you think is incorrect or incomplete;
- ask that we delete personal information that we hold about you, or restrict the way in which we use such personal information;
- object to our processing of your personal information;
- withdraw your consent to our processing of your personal information (to the extent such processing is based on consent and consent is the only permissible basis for processing); and/or
- request portability of your personal information.
If you would like to exercise these rights, please contact the Data Protection Officer in writing. You may be asked to provide the following details:
- The personal information you want to access
- Where it is likely to be held
- The date range of the information you wish to access.
We will need to ask you to confirm your identity. If we hold personal information about you, we will give you a copy of the information in an understandable format together with an explanation of why we hold and use it. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (30 days). This timeframe may be extended by up to two months if your request is particularly complex.
We may charge for a request to access your information, if permitted by applicable law. For example, we may charge a reasonable fee based on administrative costs for providing further copies of your information.
We are not a ‘public authority’ as defined under the Freedom of Information Act 2000. We will not use our funds to respond to requests for information made under this Act.
For more information about your rights under the GDPR, please visit the website of the Information Commissioner’s Office at https://ico.org.uk/
Post: The Data Protection Officer, The Royal Star & Garter Homes, 15 Castle Mews, Hampton – TW12 2NP.
You may also have the right to lodge a complaint with the UK’s data protection regulator, the Information Commissioner’s Office. For further information on your rights and how to complain to the ICO please refer to the ICO website: https://ico.org.uk/.