Privacy Notice

This section of our Privacy Notice tells you what to expect when we use personal information about you as a user of the website www.nationalstar.org

Why do we use your personal data?
We process your data for purposes arising from your use of the website, for example, to ensure that we understand who uses our site to enable us to make improvements and ensure that it is secure. This processing is necessary to meet our legitimate interests in operating and improving the website, analysing its use, and ensuring its security.

What personal information do we collect from you?

Some parts of our website will automatically process your personal data such as your Internet Protocol (IP) address using software called Cookies.  Please see our Cookie Policy for more information.

We may ask for some personal details if you access our services to enable us to fulfil the arrangement and to contact you if necessary about the event or service.  Examples of where you may interact with the website include:
• Contact us,
• StarBistro, StarGolf, StarGlamping or other service or event bookings
• Signing up to email newsletters
• Subscribing to job alerts
• Volunteering enquiries
• Making a donation to National Star via the website
• Teacher training enquiries

We might contact you for the following reasons:
to answer you when you’ve contacted us, to provide updates about a service or event you have booked, or to respond to a comment or complaint.
to invite you to take part in surveys about our services, which are always voluntary.
We’ll only contact you when we need to or when you’ve given us permission.

What is our lawful basis for using your personal data?
We have a legal basis for processing your personal data in accordance with Article 6 of the UK GDPR.
• As a service provider most of the information set out above is processed to fulfil a contract with you. Without it we would not be able to process your booking, transaction or attendance at our events.
• We also have a legitimate interest in processing other information about you for the purpose of the smooth running of our business and for planning purposes.

Who we share your personal data with?
• We will normally only use your personal data internally and will not disclose it to third parties except where we are required by law, to exercise or defend our legal rights or where you have given your express consent.
• Where we do share data with third parties, all our third-party service providers are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions. Where your data is shared with third parties, we will seek to share the minimum amount necessary.
• If we need to share your data outside the UK we will follow a suitable lawful approach to ensure your data receives the same protection as if it were being processed inside the UK.

How long do we keep your personal data for website subscriptions?
For the purposes of the weekly email and blog subscriptions we will keep your information until you unsubscribe. You can of course ask us to delete your information at any time and we will oblige (subject to some exceptions set out in law).

Social media
National Star operates on a number of social media platforms, and although this policy covers how we use any data collected from these sites, we bear no responsibility for how these third-party providers may use your information. We recommend you read the privacy policy of the social media website before sharing data and make use of the privacy settings and reporting mechanisms stated within to control how your data is used.

This section of our Privacy Notice tells you what to expect when we use personal information about you as a day or residential student.

Why do we use your personal data?
We use personal data to:
• Maintain accurate and up-to-date records and contact details for you, including key contacts, next of kin, external medical professionals, and who to contact in the event of an emergency.
• Plan, deliver, record, monitor and report on your learning.
• Enter you for qualifications and record results.
• Monitor and provide you with care and support for your needs, including administering medication and training our employees.
• Make recommendations for amendments to your Education, Health and Care Plan (EHCP), or Individual Development Plan (IDP) if you are a Welsh student.
• Ensure we respect your capacity to make your own decisions, apply safeguards and are aware of your legal circumstances, such as the existence of a power of attorney.
• Ensure we comply with our legal obligations. For example, to record and manage allegations under welfare protection schemes such as Safeguarding and Prevent.
• Manage applications, contracts and invoicing for your funding, where your place with us receives public funding.
• Meet our obligations under your funding contracts, where your place with us receives public funding. For example, to report your learning and outcomes to the Education and Skills and
Funding Agency (ESFA).
• Take care of and provide you with your money, if you require it.
• Provide you with support in using and making applications for services if you require it. For example, social media, email, National Union of Students (NUS) and Community ID cards, and
our bursary fund.
• Ensure service user (e.g. students, residents), public and employee safety and also for crime prevention and detection. CCTV is installed in some of our premises and in external areas.
* To monitor attendance at National Star premises we may record information about your visit as part of our sign in process.
• Ensure effective administration of our organisation. For example, when you make a request or a complaint.
• Ensure the legitimate, legal, secure and appropriate use of our IT. For example, by managing and monitoring your use of IT facilities and equipment, including internet access and your personal devices using our network.
• Maintain and promote equality of opportunity amongst users of our services.
• Respond to and defend against legal claims.
* To send you notifications using electronic messaging systems, e.g. road closures/weather disruptions.
• Monitor and report on your transition and future plans when you leave us

What personal information do we collect from you? 
We use these categories of personal data:
• Name and contact details, including date of birth and gender.
• Your preferences e.g. communication, hobbies.
• Assessments about you prior to you starting with us.
• Learner information, including unique learner number, learning aims and outcomes.
• Learning progress, outcomes and work-based activities.
• Photographs and video recordings taken as part of your learning and support, such as recordings of learning progress.
• Timetable and attendance.
• EHCP, or IDP if you are a Welsh student.
• Details of your disability and health needs, including reports from medical professionals such as your general practitioner and therapists.
• Care, support and medical plans.
• Logs of care, support and medical events, including monitoring.
• Assistive technology information, such as equipment, configuration and support requirements e.g. use of augmentative and alternative communication (AAC) devices.
• Involvement in activities and events, such as meetings attended, referrals made e.g. Safeguarding, and other requests associated with your time with us.
• Involvement in health and safety reporting and investigations.
• Risk assessments.
• Withdraws, deposits and balance of your money that we hold.
• Funding requirements, contracts and invoices.
• Accounts and passwords for services you use, such as your account on our email system, Facebook and Twitter, if required.
• Records of usage of IT equipment and facilities, such as operating system, application and network usage.
• CCTV recordings.
• Details of any criminal record you have.
• Equal opportunities monitoring information.
• Your learning, occupation and activities after leaving us.
• Photograph for uploading onto the personal AAC devices of other students, if you have given us your consent.
• Photograph for our marketing and publicity purposes, if you have given us your consent

What is our legal basis for using your personal data?
The law on data protection sets out a number of bases under which an organisation can use your personal data. The applicable bases are:
• Legal obligation – in some cases, it is necessary for us to use your personal data to comply with our legal obligations. For example, we are required by law to maintain care and medication records under the Health and Social Care Act 2008.
• Public task – in some cases, it is necessary for us to use your personal data to perform a task in the public interest that has a clear basis in law. For example, our function to provide education and training under the Children and Families Act 2014.
• Legitimate interest – in other cases, we have a legitimate interest in using your personal data before, during and after your time with us as a student. For example, in order to maintain the security of our IT systems. In these cases, our interests balance your rights and freedoms.
• Consent – in specific situations, we will use your personal data only with your consent. When we seek your consent, we will always do so separately and make it clear to you by providing full details.  Where you have given us your consent, you are able to withdraw it at any time.

Where we process special category personal data (racial or ethnic origin, religious or philosophical beliefs, data concerning health or data concerning sexual orientation), the applicable bases are:
• We use your health data to provide care and support for your needs. This is on the basis that it is necessary for the purposes of the provision of health or social care or treatment.
• We use racial or ethnic origin, religious or philosophical beliefs, and data concerning sexual orientation to monitor equality of opportunity. This is on the basis that it is necessary for reasons of substantial public interest

Who do we share your personal data with?
We routinely share personal data with the following categories of recipients:
• Internally with your Personal Learning Coordinator, Education Team, Nursing Team, Therapy Team, Safeguarding Team and Residential Team (if you are residential student).
• Internally with our IT Team and Funding Team.
• Third parties that process data on our behalf, such as cloud-based email security software providers.
• Training accreditation bodies and qualification boards.
• The National Health Service and other medical professionals involved in your care, support and medication.
• The ESFA, who are a data controller of the data we share with them. We are required to provide you with their privacy notice ESFA Privacy Notice
• Funding bodies, such as Local Authorities, to meet their reporting requirements.
• Local Authorities and other relevant parties with regard to safeguarding and other welfare protection schemes
* External regulators such as Ofsted, CQC
* Auditors (internal/external)

This privacy notice tells you what to expect when we use personal information about you as an employee (an individual who has entered into or works under a contract of employment for National Star).

Why do we use your personal data?
We use personal data to:
• Enter into an employment contract with you.
• Meet our obligations under your employment contract. For example, to pay you and administer other entitlements, such as pension.
• Ensure we comply with our legal obligations. For example, checking your entitlement to work in the UK, to deduct tax, to comply with health and safety law, and perform criminal records checks.
• Ensure we comply with our regulatory obligations. For example, recording your professional qualifications and registration, and recording your involvement in service provision.
• Enable our students and residents to communicate with you using Augmentative and Alternative Communication (AAC).
• Maintain accurate and up-to-date employment records and contact details, including who to contact in the event of an emergency.
• Ensure acceptable conduct within the workplace. For example, operating and recording disciplinary and grievance processes.
• Enable the monitoring and development of our employees. For example, to record performance and related processes, to establish work patterns, to perform recruitment, for career and succession planning, to operate and record absence management and other types of leave (including maternity, paternity, adoption, parental and shared parental leave) and ensure that employees are receiving the pay or other benefits to which they are entitled.
• Issue correspondence to you or about you, such as references on request for current or former employees.
* To send you notifications using electronic messaging systems, e.g. road closures/weather disruptions.
• Respond to and defend against legal claims.
• Maintain and promote equality in the workplace.
• Enable the development of employee-related policies. For example, for recruitment and retention.
• Obtain and monitor information on your health conditions, including occupational health advice and medical reports, to ensure we comply with duties in relation to individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled.
• Ensure effective administration of our organisation. For example, when you make a request or a complaint.
• Ensure the legitimate and secure access to our premises. For example, by operating a physical access control system.
• Ensure the legitimate, legal, secure and appropriate use of our IT. For example, by managing and monitoring your use of telephony, IT facilities and equipment, including internet access and your personal devices using our network.
*To meet our legal obligation to undertake Data Subject Rights Requests and investigation of Data Breaches.  For example when conducting a search for relevant content, communication tools such as email and Teams messages may be accessed and data extracted.
• Ensure service user (e.g. students, residents), public and employee safety and also for crime prevention and detection. CCTV is installed in some of our premises and in external areas.
* To monitor attendance at National Star premises we may record information about your visit as part of our sign in process.
• Monitor and ensure the safe use of our vehicles. For example, we monitor the location of vehicles to manage traffic congestion issues; we log drivers to help identify responsibility if motoring-related offences are reported to us as the vehicle owner; and we generate driver quality reports based factors such as speed and braking to monitor the safe transportation of passengers
• Ensure service user (e.g. students, residents), public and employee safety and also for crime prevention and detection. Dashcams are installed in National Star vehicles.
* To enable you to be identified on online meetings and video calls your name and image may be shared whilst online and then stored within IT applications in accordance to National Star retention policies.

What personal information do we collect from you?
We use these categories of personal data:
• Name and contact details, including date of birth and gender.
• The terms and conditions of your employment.
• Employment history, skills, references, qualifications, training, and registrations.
• Remuneration and other benefits or entitlements, such as pensions.
• Working schedule, attendance, periods of leave and the reasons for the leave.
• Assessments of your performance and development, and related correspondence.
• Medical or health conditions, including whether you have a disability for which we need to make reasonable adjustments.
• Marital status, next of kin, dependants and emergency contacts.
• Bank account and National Insurance number.
• Involvement in health and safety reporting and investigations.
• Photographs and video recordings taken as part of your role, such as a recording a student’s learning progress, awards ceremonies or required for security purposes.
• CCTV recordings.
• Risk assessments.
• Records of usage of IT equipment and facilities, such as operating system, application and network usage, and usage of telephones.
* Recordings of online meetings or activity where you are identifed.
• Involvement in activities and events, such as care provision, meetings attended, referrals made e.g. Safeguarding, and other requests associated with your employment.
• Logs of vehicle usage and driving behaviour.
• Equal opportunities monitoring information.
• Details of any criminal record you have.
• Details of disciplinary or grievance procedures in which you have been involved.
• Trade union membership, if you have given us your consent.
• Photograph for our marketing and publicity purposes, if you have given us your consent
* Content from communications tools such as email or Teams messages which identify you if relevant for a Data Subject Rights Request or Data Breach investigation.

What is our legal basis for using your personal data?
The law on data protection sets out a number of bases under which an organisation can use your personal data. The applicable bases are:
• Contract – in some cases, it is necessary for us to use your personal data in order to enter into and meet our obligations under your employment contract. For example, to pay you and administer other entitlements.
• Legal obligation – in some cases, it is necessary for us to use your personal data to comply  with our legal obligations. For example, we are required by law to check your entitlement to work in the UK, to deduct tax, to comply with health and safety law and maintain care and medication records.
• Legitimate interest – in other cases, we have a legitimate interest in using your personal data before, during and after the end of the employment relationship. For example, to operate promotion processes, to maintain up-to-date employment records and contact details; to operate disciplinary and grievance processes to ensure acceptable conduct in the workplace; and to ensure the effective administration of our organisation. In these cases, our interests balance your rights and freedoms.
• Public task – in some cases, it is necessary for us to use your personal data to perform a task in the public interest. For example sharing your contact information with Public Health England.
• Consent – in specific situations, we will use your personal data only with your consent. When we seek your consent, we will always do so separately and make it clear to you by providing full details.
Where you have given us your consent, you are able to withdraw it at any time.
Where we process special category personal data (racial or ethnic origin, religious or philosophical beliefs, trade union membership, data concerning health or data concerning sexual orientation), the applicable bases are:
• We use your health data to fulfil our obligations to health and safety and occupational health requirements. This is on the basis that it is necessary (i) for the purpose of carrying out our obligations in the field of employment, and (ii) for the assessment of the working capacity of employees.
• We use racial or ethnic origin, religious or philosophical beliefs, and data concerning sexual orientation to monitor equality of opportunity. This is on the basis that it is necessary for reasons of substantial public interest.
• We use your trade union membership to pay your subscriptions by payroll deduction. This is on the basis of your explicit consent.
Where you have given us your consent, you are able to withdraw it at any time

Who do we share your personal data with?
We routinely share personal data with the following categories of recipients:
*  Internally, including across the People team, Safeguarding team, your line manager and other managers in the area in which you work, and with the IT team if access is necessary for the performance of their roles.
*  Students and residents, to enable them to communicate more effectively by having your name and photograph as part of their personal AAC.
*  Third parties that process data on our behalf, such as:
*  Providers of third party IT systems required for the performance of your role.
*  Benefit administrators and providers.
*  The Disclosure and Barring Service to perform necessary criminal records checks.
*  Other employers, to obtain pre-employment references.
*  Training providers and qualification awarding bodies.
*  Providers of goods and services. For example, travel providers and insurers.
*  Regulators, such as the Care Quality Commission, Ofsted and Estyn.
*  His Majesty’s Revenue and Customs.
*  Health and Safety Executive.
*  The police, legal professionals and our insurers, where criminal or civil law considerations arise, including where we need to seek advice.
*  Project partners and other employers we work with.
*  Local Authorities and other relevant parties with regard to Safeguarding and other welfare protection schemes.
*  Our own auditors and those of third parties we contract with, such as Local Authorities who fund students and residents.
  Public Health England, where they approach us for personal contact details in the event of a national health pandemic. We do this on the basis of it being in the public interest (see section 5) and draw your attention to your right to object in section 9.

*  DBS and driving licence checking third parties.

This privacy notice tells you what to expect when we use personal information about you as an applicant or someone who has registered their interest in working for National Star.

Why do we use your personal data?
We use personal data to:
• Keep up to date records and contact details to communicate with you and share information, for example on new vacancies, employment opportunities and news updates if you have requested this;
• Manage the recruitment and selection process, including shortlisting purposes and decision making
• Enable us to contact you to update you on progress and outcomes;
• Enable the monitoring of our recruitment processes, including response to campaigns,  diversity monitoring purposes and to ensure we comply with our legal obligations – for example, checking your entitlement to work in the UK, , and performing criminal records checks before any employment starts
• Ensure we comply with our regulatory obligations. For example, checking your professional qualifications and any registrations, such as with HCPC.
To enable a contract of employment to be issued to you and the required pre-employment checks to be commenced
• To respond to and defend against legal claims
• Obtain information on applicants’ health conditions, including occupational health advice and medical reports, to ensure we comply with duties in relation to individuals with disabilities and meet our obligations under health and safety law
• Ensure service user (e.g. students, residents), public and employee safety and also for crime prevention and detection. CCTV is installed in some of our premises and in external areas.
* To monitor attendance at National Star premises we may record information about your visit as part of our sign in process.

What personal data do we collect from you?
We use these categories of personal data:
• Name and contact details, including date of birth and gender.
• Employment history, skills, references, qualifications, training, and registrations.
• Information on your current remuneration and other benefits or entitlements
• Medical or health conditions, including whether or not you have a disability for which we need to make reasonable adjustments both during any recruitment process and in relation to the role for which you have applied or been offered.
• National insurance number and if offered a post, additional information such bank details
• Involvement in health and safety reporting and investigations.
• Equal opportunities monitoring information.
• Details of any criminal record you have.

What is our legal basis for using your personal data?
The law on data protection sets out a number of bases under which an organisation can use your personal data. The applicable bases are:
• Legal obligation – in some cases, it is necessary for us to use your personal data to comply with our legal obligations. For example, we are required by law to check your entitlement to work in the UK,
• Legitimate interest – in other cases, we have a legitimate interest in using your personal data before, during and after the end of the employment relationship. For example, to maintain up-to-date records and contact details during the application and selection process, and for a limited period afterwards in case further opportunities arise; in these cases, our interests balance your rights and freedoms.
• Consent – in specific situations, we will use your personal data only with your consent. When we seek your consent, we will always do so separately and make it clear to you by providing full details. Where you have given us your consent, you are able to withdraw it at any time.

Where we process special category personal data (racial or ethnic origin, religious or philosophical beliefs, trade union membership, data concerning health or data concerning sexual orientation), the applicable bases are:
• We use your health data to fulfil our obligations to health and safety and occupational health requirements. This is on the basis that it is necessary (i) for the purpose of carrying out our obligations in the field of prospective employment and employment, and (ii) for the assessment of the working capabilities.
• We use racial or ethnic origin, religious or philosophical beliefs, and data concerning sexual orientation to monitor equality of opportunity. This is on the basis that it is necessary for reasons of substantial public interest.

Who do we share your personal data with?
We routinely share personal data with the following categories of recipients for recruitment and selection related purposes:
• Internally, including across the HR team, recruiting managers and other managers involved in the recruitment and decision making process
• The Disclosure and Barring Service and umbrella bodies to perform necessary criminal records checks.
• Other employers, to obtain pre-employment references.
• Training providers, qualification awarding bodies and those holding registers.
• Regulators, such as the Care Quality Commission, Ofsted and Estyn.
• The police, legal professionals and our insurers, where criminal or civil law considerations arise, including where we need to seek advice.
• Local Authorities and other relevant parties with regard to Safeguarding and other welfare protection schemes.
• Our own auditors and those of third parties we contract with, such as Local Authorities who fund students and residents.
• Occupational Health Pre-employment screening company and Occupational Health Advisors and/or Physicians.

How long do we keep job applicant personal data?
For unsuccessful applicants we keep your personal data for up to 13 months, but for those
who are employed this will continue after the end of the employment relationship.

This privacy notice tells you what to expect when we use personal information about you as a supporter of National Star. Being a supporter means you have requested updates on our work which may contain opportunities to make a donation or volunteer; you have made or indicated a willingness to make a charitable donation; you participate in other activities, such as our lottery; or you are on occasional volunteer. We rely upon and are extremely grateful for the goodwill and generosity of our supporter’s contributions to help fund our work with people with disabilities towards achieving their goals. We want this to be a positive and rewarding experience, part of which is wanting you to be fully informed about how we use your data and your rights.

Why do we use your personal data?
We use personal data to:

• Provide you with the services, products or information you asked for, for example, our newsletter, lottery or raffles, or fundraising materials.
• Administer your donation or support your fundraising, including submitting your details to HMRC to claim Gift Aid if applicable.
• Administer your participation in an event.
• Keep you up-to-date with the impact of your support and to ask for financial and non-financial support.
• Support and further our mission, for example if you have shared your story, we may use this in marketing or promotional materials.
• Sometimes we do something called profiling. It is a standard practice across the charity sector and means that we consider what would be appropriate to ask of you or send you. This helps us to ensure that we only send you information or requests for fundraising support that we feel may be of interest to you. This approach helps us to raise funds sooner and more cost effectively.
  • Ensure service user (e.g. students, residents), public and employee safety and also for crime prevention and detection. CCTV is installed in some of our premises and in external areas.
  * To monitor attendance at National Star premises we may record information about your visit as part of our sign in process.

What personal data do we collect from you?
We use these categories of personal data:

• Name and contact details. This includes email address to send you information about us where you have given us your consent.
• Other personal details, such as occupation and photographs.
• Medical information where relevant to your participation in an event and where you have given us your consent to hold it.
• Donation history.
• Financial and payment information such as direct debits and card payments, including your gift aid status.
• Personal data about individuals who may be interested in supporting our work. This is through the profiling we described earlier in this notice. In these circumstances, in addition to information we may collect from you, we may also hold information about you, for example your interests, education and network of contacts, gathered from publicly available sources such as Companies House, the Charity Commission and social media platforms.
• Other information you may give to us, such as your reasons for supporting us.

What is our legal basis for using your personal data?
The law on data protection sets out a number of bases under which an organisation can use your
personal data. The applicable bases are:

• Legitimate interest – in some cases, we have a legitimate interest in using your personal data. For example, to send you information about us in the post. In these cases, we carefully consider the balance of our interests and your rights and freedoms.
• Legal obligation – in some cases, it is necessary for us to use your personal data to comply with our legal obligations. For example, holding and sharing Gift Aid details with His Majesty’s Revenue and Customs.
• Consent – in specific situations, we will use your personal data only with your consent. For example, when sending you information about us by email. When we seek your consent, we will always do so separately and make it clear to you by providing full details. Where you have given us your consent, you are able to withdraw it at any time. Where we process your medical information, which is a special category of personal data, our basis is your explicit consent to use this to administer your safe participation in an event. Where you have given us your consent, you are able to withdraw it at any time.

Who do we share your personal data with?
We may share some of your personal data with the following categories of recipients:

• Internally, with our Fundraising Team, Finance Team when processing financial donations, and with our Communications Team who are involved in the preparation and issue of newsletters and campaigns.
• Third parties that process data on our behalf, such as organisations who we use to send fundraising campaigns and event emails, and our lottery operator.
• Third parties we use for data cleansing and research purposes. Data cleansing means detecting and correcting inaccurate data, such as invalid postcodes.
• Third parties who process payments and donations, such as Just Giving.
• Regulators, such as the Fundraising Regulator and Charity Commission.
• His Majesty’s Revenue and Customs.
• Our own auditors.

LRS privacy notice – GOV.UK (www.gov.uk)

To comply with data protection legislation, schools, colleges, local authorities, and training sector organisations are responsible for issuing a copy of this privacy notice to learners and/or parents/guardians. This notice summarises the information held on record about them, why it is held and the third parties with whom the data may be shared.