WHO PROCESSES YOUR INFORMATION?
Star Academies are partnering with our sister organisation, Shine Charity, to ensure that no members of the Star family suffer unnecessarily as a result of the coronavirus pandemic.
Star Academies will be the Joint Data Controller for the personal information that supporters, those we support, and volunteers provide to us. This means that, along with Shine Charity, we determine the purposes for which, and the manner in which, any personal data is to be processed.
If you have any queries regarding anything in this privacy notice, please contact:
Head of Governance and Corporate Services
Data Protection Officer
Blackburn, BB1 2HT
or email firstname.lastname@example.org
Where necessary, third parties may process personal information. Where this is required, Star Academies places data protection requirements on third party processors to ensure data is processed in line with all applicable data protection laws and regulations.
WHEN DO WE COLLECT YOUR INFORMATION?
- When you make a donation to us;
- When you sign up to a campaign with us (e.g. volunteering, fundraising);
- When you contact us by email, telephone, letter or through our websites (e.g. when you wish to access advice, support, or our other services);
- When you visit and use our websites (for more information about this, please see our Cookies Policy);
- When you interact with us on our social media platforms;
- When you interact with us through third parties (e.g. providing a donation through a third party such as Just Giving); and
- As part of the everyday administration of volunteer related activities if you are employed by us or volunteer to work with us.
WHAT INFORMATION DO WE COLLECT?
The information we collect from you directly or from third parties with whom we work, may include:
- Personal information (i.e. name, DOB);
- Contact information (i.e. address, email address, telephone number, contact preferences);
- Characteristics (i.e. gender where appropriate);
- Details of the support that you are requesting;
- Financial information (i.e. bank account details, credit card details);
- Employer details for processing a payroll gift; and
- Taxpayer status for claiming Gift Aid.
WHY DO WE COLLECT AND USE YOUR PERSONAL DATA?
- To process your donations and gift aid declarations;
- To provide you with the advice, support and services you have requested;
- To deal with your queries, requests and responses to our projects and campaigns;
- To send you a confirmation of your donation and event registration;
- To improve our services;
- To recruit and select volunteers and employees;
- To direct volunteer activities;
- To meet any legal obligations that we have;
- To run background checks in accordance with our due diligence policies and procedures; and
- To plan work and volunteer related activities.
IN WHAT SITUATIONS DO WE SHARE PERSONAL DATA WITH OTHER ORGANISATIONS?
- When you agree to support us through a third-party fundraising site such as Just Giving;
- We may run a background check using publicly available sources or a third-party screening service as part of a recruitment process for volunteers. We carry out background checks in accordance with our due diligence policies and procedures in order to protect our organisation’s interests.
- We will share personal information with Shine Charity when you make a donation or request support, as they are also responsible for processing donations and raising funds for this project;
- With law enforcement agencies if we receive a valid legal instruction;
- If you use a debit or credit card to make a donation, we will share your personal data with a payment processing partner;
- If you are involved in an insurance claim, we might share your personal data with insurance services/brokers;
- We contract a limited amount of third parties to store data on our behalf. This may include your personal data. Types of third parties we use include cloud storage, website hosting and software providers; and
- If we are required by law, we may share your personal data with data cleaning companies to ensure that the data we hold about you is accurate and up to date.
We only share personal data with another organisation if we have a legal basis to do so.
In all the above situations, we will ensure that we have a written contract (or valid legal instruction) in place with the organisation that includes data protection clauses to ensure that they do not use personal data for their own marketing purposes, and have security requirements in place to protect your personal data.
THE LAWFUL BASIS ON WHICH WE PROCESS THIS INFORMATION
- Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract;
- Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation;
- Article 6 1(f) of the GDPR which allows processing that is necessary for the purposes of a legitimate interest;
- Article 9 2(b) of the GDPR which allows the processing of special category data that is necessary for carrying out obligations in the fields of employment and social security and social protection law;
- Article 9 2(j) of the GDPR which allows the processing of special category data when it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Star Academies maintains Records of Processing that identify the lawful basis on which personal information is processed.
STORING PERSONAL INFORMATION
Personal data is stored securely in line with our Records Management and Data Protection policies. In accordance with data protection legislation, it is only retained for as long as necessary to fulfil the purposes for which it was obtained, and not kept indefinitely.
DATA TRANSFERRED OUTSIDE THE EU
Processors that we use may transfer, and hold, personal data outside of the EU. We will ensure that organisations who process personal data on our behalf only transfer data to countries that the EU deems as having adequate levels of protection in place. Processors that transfer data to the United States must be covered by the EU-US Privacy Shield. If a processor is found to be transferring data to a country that does not have adequate protections, or to an organisation that is not covered by the EU-US Privacy Shield, we will terminate our contract/subscription.
WHAT ARE YOUR RIGHTS?
As the data subject, you have specific rights in relation to the processing of your data. You have a legal right to:
- Request access to the personal data that Star Academies holds.
- Request that your personal data is amended if it is inaccurate or incomplete.
- Request that your personal data is erased where there is no legal basis for its continued processing.
- Request that the processing of your personal data is restricted.
- Request that we provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic format so that it can be easily transferred.
- Object to your personal data being processed if it is likely to cause, or is causing, damage or distress.
- You have rights not to be subject to automated decisions that create legal effects or have a similar significant impact on you, unless you have given us your consent, it is necessary for a contract between you and us or is otherwise permitted by law. You also have certain rights to challenge decisions made about you. We do not currently carry out any automated decision-making.
Requests must be submitted to the Data Protection Officer (contact details within). Star Academies also has a Subject Access Request Form that may be obtained from its website (https://staracademies.org/wp-content/uploads/2020/04/Subject-Access-Request-Form-v3.pdf) and all of its schools. Star Academies will consider all requests in line with your legal rights and our legal obligations. Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.
Where the processing of your data is based on your explicit consent, you have the right to withdraw your consent at any time. This will not affect any personal data that has been processed prior to withdrawing consent.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with the Data Protection Officer in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns