Click here to download our easy read privacy notice
PRIVACY NOTICE
For Members/People We Support, Students & Families, Donors & Supporters, Volunteers, Contractors, Visitors and the General Public
Last updated: April 2026
1. About This Document
This Privacy Notice explains how Kisharon Langdon collects, uses, stores and discloses personal data for all non-employees. Employees have a separate Employee Data Protection Notice.
2. Definitions
Personal Data: any information relating to an identified or identifiable living individual.
Special Category Data: a defined set of personal data that requires a higher level of protection under UK GDPR because of its sensitivity. This includes information about health, disability, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, biometric data, political opinions and data concerning sex life.
Processing: any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, retrieval, use, disclosure, alteration, restriction, erasure or destruction.
Data Controller: the organisation that determines the purposes and means of processing personal data. Kisharon Langdon is the Data Controller for the processing described in this notice. Our contact details are set out in section 11.
Data Processor: an organisation or individual that processes personal data on behalf of a Data Controller. We work with a number of third-party processors; further information is set out in section 6.
Data Subject: the identified or identifiable living individual to whom personal data relates.
Consent: a freely given, specific, informed and unambiguous indication of agreement to the processing of personal data. Where we rely on consent, you have the right to withdraw it at any time.
Lawful Basis: the legal justification under UK GDPR that permits us to process personal data. We must identify a lawful basis before processing any personal data and where we process special category data we must identify an additional condition.
3. Categories of Personal Data We Collect
Category | Data Types |
Members / People We Support & Families | Identity; contact; health and social care information; care plans; incident/safeguarding information; tenancy/funding; emergency contacts; communications records; video conferencing recordings; CCTV. |
Students & Families | Identity; contact; emergency contacts; attendance records; learning and assessment progress; Education, Health and Care Plan (EHCP); special educational needs information; timetabling; course enrolment and qualification records; bursary and funding eligibility; communications records; video conferencing recordings; incident and safeguarding information; post-college transition plans; CCTV. |
Donors & Supporters | Identity; contact; donation/payment information; Gift Aid status; event attendance; communication preferences; CCTV. |
Contractors & Service Providers | Identity; contact; bank/payment details; due diligence; identification photographs for access control; CCTV. |
Volunteers | Identity; contact; application details; interview notes; references; DBS outcome/date for eligible roles; role-based health/fitness information; training/induction completion; supervision notes; incident/safeguarding information; video conferencing recordings; CCTV. |
Website Users & Visitors | Cookie/analytics data; IP addresses; device identifiers; visitor logs; CCTV if accessing monitored areas. |
4. Lawful Bases & Purposes of Processing
We only process personal data where a lawful basis under Article 6 UK GDPR applies. Special category data requires Article 9 conditions; criminal conviction data requires Article 10 and DPA 2018 Schedule 1 conditions.
4.1 Purposes of Processing
- Delivering social care and support and meeting regulatory obligations (CQC).
- Delivering further education and training and meeting our regulatory obligations (Ofsted, ESFA).
- Monitoring student attendance, progress and learning needs, and administering EHCPs.
- Enabling students to take part in assessments and qualifications and recording achievements.
- Supporting post-college transition planning and providing references to employers or other education providers.
- Administering student bursaries, funding and Local Authority placement arrangements.
- Administering donations, payments and Gift Aid.
- Volunteer recruitment, onboarding, training, supervision and placement matching.
- Managing contractors/suppliers including access control and payments.
- Safeguarding, incident management, accident reporting and health & safety compliance.
- Site and system security including access logs and CCTV.
- Event management, communications, service improvement, enquiries and complaints handling.
4.2 Lawful Bases (Article 6)
- Legal Obligation – safeguarding, health & safety, social care duties, tax/Gift Aid.
- Legitimate Interests – service communications, volunteer administration, donor management, security, service delivery.
- Public Task – delivering further education and training in fulfilment of our statutory duties, including ESFA funding obligations and Ofsted regulatory requirements.
- Contract – supplier agreements, certain donor transactions.
- Consent – use of images, testimonials or comments for communications and publicity, and for certain marketing or fundraising communications where consent is required.
4.3 Special Category & Criminal Conviction Data Conditions
- Article 9(2)(b) – employment/social protection including safeguarding & H&S.
- Article 9(2)(g) – substantial public interest under DPA 2018 Schedule 1.
- Article 9(2)(h) – health/social care processing (members/people we support). This condition also applies to the assessment, support and monitoring of students’ educational, health and care needs, including processing carried out under or in connection with an Education, Health and Care Plan.
- Article 10 – criminal convictions (DBS), processed under DPA 2018 Schedule 1 safeguarding.
4.4 Marketing & Supporter Communications
We may send marketing or fundraising emails, texts or social media messages to individuals who have previously donated, purchased event tickets, expressed an interest in or otherwise engaged with our charitable purposes without requiring explicit consent. We do this in accordance with the charitable soft opt-in introduced by Section 114 of the Data (Use and Access) Act 2025.
To rely on this, we ensure that: the communication solely furthers Kisharon Langdon’s charitable purposes; the recipient’s contact details were collected in the context of their engagement with or support for those purposes; and the recipient is always given a clear opportunity to opt out.
Our lawful basis under UK GDPR for this processing is Legitimate Interests. You can opt out of these communications at any time by using the unsubscribe link in our communications or by contacting us at info@kisharonlangdon.org.uk.
5. How We Collect Personal Data
- Directly from you (forms, email, phone).
- From your representatives, carers or referees.
- From DBS provider for eligible roles.
- From health/social care partners and regulators.
- From Local Authorities, education partners and awarding bodies.
- Automatically via CCTV, access logs, website cookies.
5.1 Our Website & Cookies
Personal data submitted through our website will be collected and processed in accordance with this Privacy Notice.
A cookie is a small text file placed on your device when you visit a website. We use cookies to help our website function properly and to understand how it is being used.
We use two types of cookies:
Essential cookies are necessary for the website to work and cannot be switched off. They do not require your consent.
Analytics cookies help us understand how visitors use our website so we can improve it. These cookies collect information in an anonymous or aggregated form and are only placed with your consent.
You can accept or decline cookies using the banner displayed when you first visit our website. You can also set your browser to refuse cookies, though this may affect how some parts of the website work. Many browsers now allow you to set cookie preferences at browser level, which we will respect as a valid expression of your consent.
For more information about cookies and how to manage them visit www.allaboutcookies.org.
6. Disclosure & Sharing of Personal Data
We share personal data only where necessary and lawful, with: local authorities; CQC and regulators; NHS/health/social care partners; DBS provider; occupational health; insurers; legal advisers; auditors; IT, security and systems providers (including the management information, learner record and case management systems we use to deliver and administer our services); Ofsted; the Education and Skills Funding Agency (ESFA); awarding and qualifications bodies; other schools and colleges involved in student referrals or transitions; careers and employment support services; the Department for Work and Pensions or benefits agencies where student funding or entitlement is relevant; police/safeguarding bodies.
If we merge or transfer any or all of our organisation or assets, personal data may be transferred to another charity. Any such new owner of our charity may continue to use this personal data in the same way(s) as set out in this Privacy Notice.
6.1 National Data Opt-Out
At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review this annually and for all new processing activities.
7. Security
We apply technical and organisational measures including encryption, MFA, secure hosting, access controls, training, breach procedures and supplier due diligence. CCTV is used for safety and security with restricted access. Most of our systems are hosted on secure, encrypted servers located in the UK, with access restricted to authorised personnel only. CCTV signage is displayed at monitored locations and further information is available on request.
8. International Transfers
Where data is processed outside the UK, we use adequacy regulations, SCCs with the UK Addendum and Transfer Risk Assessments. This may include cloud-based IT or email systems operated by suppliers with infrastructure outside the UK.
9. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, and in accordance with applicable law and regulatory requirements.
Retention periods vary across our services depending on the nature of the data and the statutory framework that applies. As a general principle, most personal data held by Kisharon Langdon is retained for a period of between 7 and 10 years, unless a longer period is required by law or regulatory obligation – for example, certain health, safeguarding and social care records which must be kept for defined statutory periods.
Where shorter retention periods apply – for example for website analytics or visitor logs – we apply the minimum period necessary for the relevant purpose. At the end of the applicable retention period, personal data is securely deleted or anonymised. Our full retention schedule is available on request.
10. Your Rights
Under UK GDPR you have the following rights in relation to your personal data. To exercise any of these rights, please contact our Data Protection Officer at dpo@kisharonlangdon.org.uk. We will respond within one month of receiving your request, though this may be extended by a further two months in complex cases, in which case we will notify you.
Access – You have the right to request a copy of the personal data we hold about you and information about how we process it.
Rectification – You have the right to ask us to correct personal data that is inaccurate or incomplete.
Erasure – You have the right to ask us to delete your personal data where there is no compelling reason for us to continue processing it. This right is not absolute and will be balanced against our legal obligations and legitimate purposes.
Restriction – You have the right to ask us to restrict processing of your personal data in certain circumstances, for example while the accuracy of data is contested.
Objection – You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will always comply. Where you object to processing based on legitimate interests, we will consider your objection and cease processing unless we can demonstrate compelling legitimate grounds.
Portability – Where processing is based on your consent or a contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format.
Withdrawal of consent – Where we rely on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.
Automated decision-making – We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects.
Some rights are subject to exemptions under the UK GDPR and the DPA 2018 and may not apply in every circumstance. We will always explain if this is the case when responding to your request.
11. Queries & Complaints
To contact us about anything to do with your personal data and data protection, please use the following details:
Data Protection Officer: Email: dpo@kisharonlangdon.org.uk
If you wish to make a complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. In accordance with DUAA requirements, please contact us first so that we might try to resolve your concerns ourselves.
Kisharon Langdon: Compliments, concerns or complaints – Kisharon Langdon
