Data Protection Policy

1. Purpose
This policy applies to Star Lite Facilities Management Limited. Star Lite Facilities Management Limited is registered with the Information Commissioner. Complete details of the company’s entry on the Data Protection Register can be found on the notification section of the Information Commissioner’s website: www.dataprotection.gov.uk. Our registration number is ZA471337.

The register entry provides:

• A fuller explanation of the purposes for which personal information may be used.
• Details of the types of data subjects about whom personal information may be held.
• Details of the types of personal information that may be processed.
• Details of the individuals and organisations that may be recipients of personal information collected by Star Lite Facilities Management Limited.

Star Lite Facilities Management Limited needs to keep certain information about its employees, students, voluntary members, and other users for academic and administrative purposes. It also needs to process information to comply with legal obligations to funding bodies and the government.

When processing such information, Star Lite Facilities Management Limited must comply with the Data Protection Principles outlined in the Data Protection Act 1998. These principles state that personal data must be:

• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant, and not excessive.
• Accurate.
• Not kept longer than necessary.
• Processed in accordance with the data subject’s rights.
• Secure.
• Not transferred to countries without adequate protection.

2. Responsibility
The Director is responsible for ensuring that this policy is applied within the organisation. The Management Representative is responsible for maintaining, regularly reviewing, and updating the policy.

3. Status of the Policy
This document sets out Star Lite Facilities Management Limited’s policy and procedures to meet the requirements of the Data Protection Act 1998. It is available to employees, students, voluntary members, and external agencies upon request.

4. The Data Controller
The Management Representative is ultimately responsible for Data Protection. However, the Director of Resources acts as the main Data Controller. Local regional staff are designated as local data protection officers to handle day-to-day compliance, often with the support of Course Managers.

5. Subject Consent
In many cases, Star Lite Facilities Management Limited processes personal data only with the individual’s consent. For sensitive data, express consent is required.

Agreement to process certain categories of personal data is a condition for:

• Acceptance onto a course.
• Membership recognition in the association.
• Employment within the organisation.

This includes processing information about criminal convictions under the Rehabilitation of Offenders Act 1974 and ensuring staff suitability for roles involving vulnerable groups.

6. Staff Responsibilities
Employees are required to:

• Ensure that any personal data they provide is accurate and up to date.
• Inform the organisation of any changes to their information (e.g., address, bank details).
• Store personal data securely and avoid unauthorized disclosures.

Failure to comply with the policy may result in disciplinary actions.

6.1. Use of Personal Data Off-Site
Staff processing personal data off-site must take precautions to prevent unauthorized access or disclosure. In the event of loss or theft, the Data Controller must be notified immediately.

7. Voluntary Members Obligations
Voluntary members must:

• Provide accurate and up-to-date personal data.
• Notify the Office Manager of any changes (e.g., address).

They must also ensure the secure storage of personal data and avoid unauthorized disclosures, which may result in disciplinary actions.

8. Student Obligations
Students are responsible for:

• Providing accurate and up-to-date personal data.
• Notifying regional office staff of changes.

8.1. Use of Student Data
Student data is used for:

• Processing applications.
• Providing services and information.
• Research and statistical analysis.
• Accreditation and audit purposes.

9. Accuracy of Data
Employees, students, and voluntary members should notify the organisation of changes to personal circumstances. Accuracy is assumed based on reasonable steps like taking up references.

10. Third Parties
Star Lite Facilities Management Limited processes third-party data lawfully and fairly, ensuring mechanisms for data access, marketing objections, and preventing unauthorized disclosure.

11. Security Measures
Access to personal data is restricted to authorized personnel. Data must be:

• Stored securely (e.g., locked cabinets, password-protected systems).
• Transferred securely and disposed of appropriately (e.g., shredding, reformatting).

11.1. Retention of Data
Personal data is retained based on operational or legal requirements, typically up to seven years.

11.2. Transfer of Data Outside the UK
Personal data is not transferred outside the UK without express consent.

12. Use of Personal Data in Research
Data used for research is exempted for specific purposes (e.g., statistical analysis) and must not target or harm individuals.