This privacy notice sets out how St George’s House uses and protects any personal data it collects or processes in the course of its activities, and outlines your rights regarding this data.
St George’s House is committed to using minimal amounts of personal data lawfully and securely, in line with the UK Data Protection Act 2018 (“DPA 2018”), EU Regulation 2016/679 (the General Data Protection Regulation [“GDPR”]), and all relevant guidance issued by the Information Commissioner’s Office (ICO).
Table of Contents
- What is personal data?
- How we secure your data and comply with our obligations
- Types of personal data we process
- Financial transactions
- Why we process personal data
- Lawful bases for processing personal data
- Sharing personal data
- New purpose
- Length of time we keep information
- Data breach
- Your rights
- Exercising your rights and contact details
What is personal data?
Any information about a living individual which allows them to be identified from that information, or that information in conjunction with other available information, is considered to be personal data. Special category personal data is especially sensitive data that reveals or may reveal in conjunction with other information: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data; health; sex life and sexual orientation; and any criminal convictions and offences. St George’s House acts as a “data controller”, which means the organisation is responsible for collecting and storing any personal data provided by data subjects.
We secure your data and comply with our obligations by
- Ensuring we have appropriate policies and processes in place to store personal data securely and securely erase it when appropriate;
- Protecting personal data from loss, misuse, unauthorised access and disclosure;
- Minimising the amount of personal data we collect;
- Storing personal data for the minimum time needed and keeping personal data up to date with regular reviews;
- Ensuring any third-party organizations who collect or store personal data on our behalf are GDPR-compliant and committed to data protection.
- Being responsive to any requests from data subjects who want to exercise their rights to access, rectify, limit, or erase their personal data.
Types of personal date we process
- Names, titles, and aliases;
- Date of birth;
- Contact details such as address, email address and telephone number;
- Photographs or recordings taken at events we hold;
- Payment card and transactions details for donations made or products or services purchased;
- Necessary personal information for employees, volunteers and contractors, which may also include next of kin details.
We also process minimal and limited special category personal data. This may include the temporary collection of dietary, mobility, medical or other health issues or requirements individuals share with us for accommodation, event or employment purposes, or data that could suggest an individual’s religious beliefs, in the course of events we run specifically for or with religious organisations or ministers of different denominations.
At events that we organise, there may be a photographer present. We may use photographs taken to promote the activities of the House. At such events, we will provide a notice at the entrance to the event and instructions on how any attendee who does not wish to be photographed can inform a member of staff of their wishes.
When people make payments to the House, either via the website, in person, or by telephone, we use third party providers to process credit or debit card purchases. These providers adhere to international security standards within the credit card industry.
Why we process personal data?
We process personal data for the following purposes:
- To organise Consultations, cultural events, lectures, one-off events, lunches and dinners;
- To meet statutory and legal obligations;
- To administer membership records for our Associates scheme and Society of Leadership Fellows;
- To fundraise and promote the interests of the House;
- To process donations and claim Gift Aid where relevant and appropriate;
- To maintain our accounting records;
- To manage our employees and volunteers;
- To record details of any accidents on our premises in line with Health and Safety Regulations;
- To seek your views or comments as part of the wider St George’s House community;
- To inform you of news, events, and activities at St George’s House;
- To send you communications which you have requested and that may be of interest to you. These may include information about our programme, appeals, or other fundraising activities.
- To archive historically or culturally significant materials in the public interest.
Lawful bases for processing personal data
We determine a lawful basis for all personal data we collect or process. We process personal data according to the following lawful bases:
- Legitimate interests
This lawful basis means that processing the data is necessary to fulfil our core functions as an organisation and that it does not overly affect the interests, rights, and privacy of the data subject. For instance, we may need to acquire personal data for security clearance so that individuals can enter the Castle grounds for our events, or use email addresses to send invitations to our events.
- Legal obligation
This means we are legally required to store the personal information, as in the case of storing Gift Aid information or employee details as part of our duty to HMRC.
Personal data may be necessary to perform a contract with staff, contractors, or external organisations.
- Vital interests
In the unlikely case of an accident or medical emergency on our grounds or at one of our events, we may need to collect medical information to protect the life of the data subject.
- Public interest
We may archive materials of historical or cultural significance in the public interest.
Where personal data is held or processed other than in line with the above, it will be on the basis of consent, meaning the individual has given us their explicit consent for us to collect, process or share their data.
Sharing personal data
We treat all personal data as strictly confidential. We only ever share personal data with third parties where this is necessary for the performance of our legal responsibilities or where prior consent is provided. All third parties we work with are GDPR compliant.
We will not sell or lease your personal information to third parties.
If we seek to use your personal data for a new purpose, or a purpose not referenced in this Privacy Notice, we will seek your prior consent and provide a new Privacy Notice before beginning the processing.
Length of time we keep data
In line with ICO and GDPR guidance, we retain personal data for the minimum amount of time that it is needed. We will delete or anonymise personal data once it is no longer needed or if there is a legitimate request to erase the information (see section below on Your rights). We keep financial records, including Gift Aid, for six years after the end of the relevant accounting year.
A personal data breach means that the security of personal data is compromised. This includes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. St George’s House handles all personal data securely and lawfully and thus we not anticipate data breaches.
In the unlikely event that a data breach occurs, we will follow GDPR-compliant protocol by implementing a recovery plan, notifying the appropriate authorities, and informing all relevant people or organisations.
St George’s House respects the rights of data subjects regarding their personal data. The rights you have, and how you can exercise them, depend on the lawful basis we use to process your data. We will respond to requests to exercise your rights as a data subject within a period of one calendar month.
- Right to access
You have the right to ask for a copy of the information we hold about you (including why we hold the information, who has access to it, and where we obtained it), which is called a “subject access request”. We will process any such request within one calendar month, unless the request is considered to be manifestly unfounded or excessive, in which case we will communicate with you explaining the situation and the next course of action.
- Right to erasure
Unless we hold your data due to legal obligation or on a public interests basis, you have the right to ask us to delete or stop processing your data. We will respond within one calendar month to confirm whether the data has been deleted or processing stopped. If we cannot delete the data, or must continue to process it, we will provide a reason (for example, if we need it for regulatory purposes).
- Right to rectification
You have the right to ask us to change incorrect or incomplete information we hold about you.
- Right to restriction of processing
You have the right to ask us to restrict the way we process your personal data.
- Right to portability
You have the right to ask us to receive a copy of all personal data we hold about you; the right to ask us to send it to you in a structured, easily accessible, machine readable format; and the right to ask for this data to be sent directly to another data controller.
- Right to object
You have the right to object to our use of your personal data which effectively asks us to stop processing. You can’t object to data held or processed on the basis of contract, legal obligation, or vital interests. While you can’t formally object to data held or processed on the basis of consent, you can withdraw consent at any time.
You have the right to make a complaint with the Information Commissioner’s Office (ICO) at any time.
Exercising your rights
Please direct any requests to exercise your rights as a data subject and any queries about this Privacy Notice to:
Warden’s Administrator, St George’s House, Windsor Castle, SL4 1NJ
We will respond to all such requests or queries within one calendar month.
Please note that when an individual seeks to exercise any of the rights listed above we may ask for verification of identity, including certified proof of identity, before processing the request.
We will not charge a fee for the first request but additional requests for the same data, or requests for data we consider to be manifestly unfounded or excessive, may be subject to an administration fee.
This Privacy Notice was last updated on 25 June 2021, and will be reviewed annually to ensure it is current.