Privacy Notice

Why we use your data
When using our website we use your information to operate and improve it, ensure security, provide services you request, and understand how our site is used.

DUAA recognises network and information‑system security as a recognised legitimate interest, meaning we can rely on it without balancing tests when necessary.

What we collect

• IP address, browser/device info, pages visited
• Cookies and analytics (see Cookie Policy)
• Information you enter when using forms (e.g. student admissions, newsletters, bookings, donations, job alerts)

Lawful bases

• Contract (when delivering services you request)
• Legitimate interests (security, functionality, analytics)
• Consent (marketing emails, optional cookies)

Who we share with
Internal teams and third‑party service providers who support website hosting, security, analytics, booking or payment systems — always under strict conditions.

Retention
We keep subscription information until you unsubscribe.

Social media
National Star operates on a number of social media platforms. We are not responsible for how platforms process your data; please check the platform’s own privacy settings and policies.

Why we use your data
To support your education, care, wellbeing, and safety, and to deliver our statutory functions.

Categories we collect include:

• Contact information
• Attendance/personal administration
• Educational records
• Health/care information
• Funding/admin records
• Digital accounts and IT monitoring
• Images, CCTV, biometrics (only with consent)
• Equality and safeguarding information
• Clinical supervision: Some therapy sessions (for example Music Therapy) may occasionally be audio or video‑recorded for clinical supervision. Recordings are kept securely, accessed only by clinical staff, and deleted once supervision is complete.

Lawful bases

• Legal Obligation (care records, safeguarding)
• Public Task (education and training duties)
• Legitimate Interests (IT security, service management)
• Recognised Legitimate Interests (DUAA) – safeguarding, crime prevention, emergency response
• Consent – biometrics, publicity photos
• Special Category Conditions – health/social care; substantial public interest

Children’s Higher Protection Matters (DUAA)
Where services may be accessed by under-18s, we apply:

• Age-appropriate information
• High-privacy defaults
• Limits on profiling
• No “nudging” to share unnecessary data
• Data protection by design/default

Sharing
Internal teams (education/care/IT/funding teams). NHS; ESFA, Local Authorities, safeguarding agencies, regulators, auditors, approved third‑party processors.

Why we use your data

To contact, employ, support, manage and develop you, pay you, meet legal and regulatory duties, maintain safety, ensure legitimate access, provide references, allow students and residents to communicate with you, promote equality, and run the organisation effectively.

Categories of information collected include:

• Identity, bank details, employment, benefits and pension information.
• Working schedule, attendance and leave information.
• Personal contact details/marital status/next of kin/dependants/emergency contacts.
• Occupational‑health data
• Performance, development, conduct, any criminal record and safeguarding information
• Qualifications/skills/training/registration/driving qualifications/behaviour
• Telephone, IT and network logs
• CCTV, telematics, dashcam footage, vehicle location, sign in information
• Equality monitoring
• Teams/Emails/online documents to support data subject rights requests
• Trade‑union membership (consent)
• Photos/video recordings taken as part of your role supporting service users.
• Recordings of online meetings where you are identified.
• Photographs or video recordings for our marketing and publicity purposes, if you have given us your consent.
• Clinical supervision (clinical roles only): Some practice‑based sessions may be recorded for clinical supervision and professional standards. These recordings are used only for supervision, stored securely, and retained only as necessary.

Lawful bases

• Contract (employment)
• Public task (for example providing information to exam boards.
• Legal Obligation (tax, safeguarding, H&S)
• Legitimate Interests (IT/security, workforce management)
• Recognised legitimate interests (DUAA): safeguarding, crime prevention, emergencies, admin sharing, IT security
• Consent (publicity photos, union deductions)
• Criminal offence data: DBS checks under Schedule 1
• Special Category personal data: We use your health data to fulfil our obligations to health and safety and occupational health requirements. This is on the basis that it is necessary (i) for the purpose of carrying out our obligations in the field of employment, and (ii) for the assessment of the working capacity of employees. • We use racial or ethnic origin, religious or philosophical beliefs, and data concerning sexual orientation to monitor equality of opportunity. This is on the basis that it is necessary for reasons of substantial public interest. • We use your trade union membership to pay your subscriptions by payroll deduction. This is on the basis of your explicit consent.

Automated decision-making

We do not use solely automated decisions with significant effects without safeguards (human involvement, challenge rights).

Sharing

Internal

HR, safeguarding, managers, IT, shift fulfilment, payroll, benefit providers, students/residents (e.g. adding name/photo to AAC devices)

External

Other employers (e.g. references), project partners, DBS, approved third party IT providers, approved third party services (e.g. driving licence checking), Local Authorities, NHS organisations/ UK Health Security Agency, regulators (e.g. Care Quality Commission, Ofsted and Estyn), HMRC, HSE, auditors, insurers, law enforcement where required, training providers and qualification awarding bodies, providers of goods and services such as travel/insurance

Why we use your data
To run a fair, safe and lawful recruitment process.

Includes:

• Communication during recruitment
• Shortlisting, interviews and decision‑making, monitoring recruitment processes
• Checking right‑to‑work, criminal record checks, qualifications, registrations, DBS and to issue contract
• Equality monitoring
• Occupational‑health checks where needed
• Security and site safety (visitor sign‑in, CCTV)
• Handling complaints or legal claims

DUAA‑recognised legitimate interests may apply for: safeguarding, crime prevention, emergency response, internal admin sharing, IT/system security.

Personal data we collect

Identity and contact details, employment history, pensions, benefits, qualifications, skills, conduct, references, training, registrations, health/adjustment needs, National Insurance number (if offered post), bank details, DBS info (where required), equality data (optional), CCTV if you visit site.

Lawful bases

• Legal Obligation (right‑to‑work, DBS)
• Legitimate Interests (fair recruitment, admin, IT security)
• Recognised LI (DUAA) where applicable
• Consent (mailing lists, certain optional uses)
• Special category (employment, health, substantial public interest)

Sharing

Internal

HR, recruiting managers.

External

DBS, referees, approved third party reference checking service, training providers/awarding bodies, Local Authorities (e.g. safeguarding/welfare), regulators (e.g. Care Quality Commission, Ofsted and Estyn), occupational‑health providers, safeguarding bodies, auditors, insurers, legal professionals/law enforcement where required.

Retention

Unsuccessful applicants: 13 months

Successful applicants: data added to staff record.

Why we use your data

To manage donations, fundraising, events, volunteering, supporter communications and charity operations.

Includes:

• Sending newsletters, updates, fundraising materials
• Processing donations and Gift Aid
• Managing lotteries, raffles and administer participation at events
• Stewardship and supporter engagement
• Using stories/photos where you’ve agreed
• Profiling to send relevant content
• CCTV and visitor sign‑in safety measures
• DUAA‑recognised legitimate interests: charity marketing, admin sharing, IT security, safeguarding, crime prevention

What we collect

Contact details, network of contacts (if shared), donation history, payment information, interests/occupation (if shared), event participation info, health data for event safety (consent), publicly available supporter info, visitor/CCTV data, reasons for supporting us.

Lawful bases

• Legitimate Interests (postal marketing, stewardship, profiling, security)
• Recognised LI (DUAA) (direct marketing, crime prevention, admin sharing)
• Legal Obligation (Gift Aid, financial compliance)
• Consent (email/SMS marketing, health/event data, stories/photos)
• Special category — explicit consent or substantial public interest where applicable

Sharing

Internal

Fundraising, Finance, Communications, Events teams;

External

Mailing houses; event partners; payment processors; data‑cleansing providers; regulators (e.g. Fundraising Regulator and Charity Commission); HMRC; auditors.

guidance.submit-learner-data.service.gov.uk/24-25/ilr/ilrprivacynotice

To comply with data protection legislation, schools, colleges, local authorities, and training sector organisations are responsible for issuing a copy of this privacy notice

to learners and/or parents/guardians. This notice summarises the information held on record about them, why it is held and the third parties with whom the data may be shared.