Who is this policy for?
This policy is for anyone who uses Starlight’s services or works alongside or for Starlight, including children and families, health professionals, job candidates, suppliers and volunteers. We have a separate policy for those who support our fundraising efforts and you can find it here.
What’s this policy about?
During your interactions with us we’re likely to collect a fair amount of personal data from you. This policy explains how we collect, use and protect any information you give us, when we might share it and how you can stay in control of how we use it. Above all, it underlines our commitment to making sure your privacy is protected (and along the way it explains how we use the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to do so). After all, without you, there is no Starlight.
Sometimes we may need to change our policies and we’ll do so by updating this policy document on our website and putting a note at the top outlining the changes so they’re clear. When we make significant changes that we think may influence your decisions, we’ll aim to tell you about these directly. If you’re not happy with any changes then do let us know.
What information do we collect and why?
We collect information about you so we can deliver appropriate and relevant services to you or work alongside you to deliver those services to or children and families. We may collect it directly from you or from third parties who have your permission to share it with us, for example when a healthcare professional refers a child for our services. It may be collected via our website, if you fill in an online form. Sometimes we may use information that’s available from external sources as well. We will always tell you why we need the information and what we are going to do with it.
The information we collect and hold includes names, addresses, telephone numbers, email addresses, dates of birth, financial records, medical records, records of merchandise orders, and other information to assist us in providing our services or managing our contracts.
We hold information on children and families in order to provide those services which we deliver outside of hospitals. Where children and families have volunteered to help us with research, we hold information for those purposes as well.
If you come to one of our events or use our services, we may hold a photo or video image of you. We’ll always ask before taking photos or videos and if we want to use this on our website or in other marketing materials in order to promote the charity, we will always ask your permission. You can always say no.
We use information provided by candidates and volunteers to carry out DBS checks and, for candidates, right to work checks. We also collect and keep certain information because we legally have to – for example because of HMRC or safeguarding requirements. When working with suppliers we may collect personal information for the purpose of assessing credit risk.
We collect information about your background, for example ethnicity, for statistical purposes to ensure that we are reaching all communities of children and families who need us and maintaining a diverse workforce of staff and volunteers. We keep that information anonymously (so we don’t know it’s yours).
We respect the rights of children, including their rights to safety and to privacy. If we use images of a child on our website or other communications, we only give their first name. We always ask for consent from a parent or guardian before using images and where a child is able to state their own preferences we follow those. That means that if a child doesn’t want their picture used we don’t use it, even if their parent or guardian says we can. We have special consent forms to make it easy for children to understand what they are agreeing to.
Privacy and our website and social media
When you visit our website, you’ll see we use ‘cookies’ (small text files that are downloaded onto your device and allow our website to recognise your device and store some information about preferences or past actions). Some of these are absolutely necessary for the website to work or to keep it secure and they are the only ones we use without your consent. We’ll only use tracking or analytical cookies, which help us understand how people use our site, if you tell us we can.
When you access one of our Facebook pages, Facebook will collect your IP address and other data via its own cookies. We have no say over them doing that, it’s just how Facebook works, and no control over how they use that data, but you can manage their cookie collection in the same way you can ours.
Who sees the information we collect?
We sometimes share your data with trusted third parties who help with some of our activities, for example: our distribution company for hospital services resources, organisations or individuals involved in delivery of wishes. We outsource our IT support and use external software applications which may hold your data (such as our main services database and finance system); your data is shared with these organisations to allow them to support our software.
When we do any of this we make sure we have contracts in place which clearly say how the data can be used and which require them to follow GDPR.
We may also share information if we are legally obliged to do so (such as with HMRC, for safeguarding reasons or where requested by a regulatory body) and, where necessary, with legal and professional advisors (including our auditors).
We will never sell or share your information with other organisations to use for their own purposes.
How we keep your data safe
Most of the time we keep your data in electronic form. We take security very seriously and have measures in place to look after it, including:
- Password protected access to all systems to ensure only those who are entitled to see information can do so
- Encryption on laptops to minimise risk of data exposure if they are stolen
- Back-ups in place to minimise any risk of data loss if our systems fail
- Secure systems for data transfer, especially where sensitive data such as bank information is concerned
Where we keep paper copies of your personal information, we make sure these are kept securely.
How long do we keep your information
We only keep your information for as long as we need to in order to run our charity and comply with the law. Some information, such as financial information, has to be kept for seven years to comply with HMRC requirements. We keep data on our children and families for as long as they are eligible for our services, and for compliance with safeguarding requirements. We may delete data earlier if required to by law, for example if the ICO tells us to. We have special rules for certain groups of people, as follows:
We keep your information until you let us know you are no longer a relevant health professional (for example having left a children’s hospital environment). When that happens we’ll delete your name and personal data but will keep the record of your organisation and services provided so we have a historical record of service provision and impact.
We keep your information for two years after you stop working as a volunteer.
We keep medical records only until a wish has been granted. We may keep other details for up to 14 years as part of our agreement with other wish granting charities to confirm whether a child has had a wish with us which might make them ineligible for another.
Where do we keep your data?
We try and keep your data within the UK but it’s not always possible, for example where a software provider keeps data on servers elsewhere. We may transfer your data to countries within the European Union and when we do this we rely on the fact that the UK regulator has confirmed that data held in those countries is as well protected as it would be in the UK (this is called an ‘adequacy decision’). We occasionally work with an overseas partner outside of the European Union but we only ever do that if we can confirm your data will be held under rules at least as strong as UK GDPR and before we do it we will always tell you the country concerned and what safeguards are in place.
Your rights over your data
Your data belongs to you and you’re in control of what happens to it. As well as being able to express preferences for how you want to be contacted and give consent for certain uses, you can always:
- Ask to see the information we hold on you and for information on how we store and use it. If the information we hold on you includes information on other people we may need to remove that before we share it with you
- Ask us to correct data we hold on you if you think it’s wrong
- Ask us to delete information we hold. You can do this if we no longer need it or if you’ve previously given us consent and you’ve changed your mind. You can also ask us to delete information if we no longer have legitimate grounds to process it (see ‘the reasons we can use to collect and process your data’ at the end of this policy) or if we’re doing so unlawfully. There is some data we can’t delete, such as that we’re required to keep by law.
- Ask us to stop contacting you (either by a specific means or in general)
- Ask us to stop or restrict how we use your data (unless we’re required to use it by law or are using it to fulfil a contract with you)
- Ask us to transfer your information to another organisation
If you want to do any of these, please email us on [email protected]. If you’re not happy with the way we use your information, you can make a complaint by writing to or emailing the Data Controller (see information at the foot of this notice). If you’re still not satisfied then you can complain to the Information Commissioner’s Office.
Who to contact about your data
The Data Controller (the body responsible for your data) is Starlight Children’s Foundation, a charity registered in England and Wales (296058) and Scotland (SC 047600) and limited company (company number 02038895), whose registered office is Third Floor, 227 Shepherds Bush Road, Hammersmith, London, W6 7AU.
If you have any questions or concerns about your data then you can email us at [email protected] or call us on 020 7262 2881. Our Data Protection Officer, Kristy Gouldsmith, can be contacted at [email protected].
A legal note: the reasons we can use to collect and process your data
The law on data protection sets out a number of different reasons for which an organisation may collect and process your personal data, including:
In specific situations, we collect and process your data with your consent. You can withdraw your consent at any time. For example, if we wanted to use a photograph of you in our marketing material, we would need your consent to do so.
If the law requires us to, we may need to collect and process your data. For example, we are required to comply with HMRC audits of our records.
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, keeping your data on our software systems.
If we have a contract with you then we can collect and process your data to allow that contract to operate effectively.