Privacy Policy
At The King’s Foundation we are committed to protecting and respecting your privacy. We want everyone to
feel confident and comfortable with how any personal information will be looked after or used.
This privacy policy sets out how we collect, use, and store your personal information. As an open and
transparent organisation our privacy policy explains:
- When and why The King’s Foundation collects personal data;
- What personal data we collect;
- How we use an individual’s personal data;
- How we store personal data;
- The conditions under which we may share an individual’s personal data; and
- When we may destroy an individual’s personal data.
Additionally, the policy also explains an individual’s data rights and protections under the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). It should be noted that
under the UK GDPR, sole traders are given the same rights and freedoms as individuals and therefore this
policy refers to both individuals and sole traders.
We may review and update this policy and when this occurs, we will publish an update on The King’s
Foundation website. This policy was updated in April 2024.
The King’s Foundation is a charity which operates throughout the UK and internationally to support people
to create community through building sustainable housing, regenerating neighbourhoods and teaching
traditional craft skills. We work nationally and internationally but at the heart of our organisation is the
heritage-led regeneration of the Dumfries House estate and its wider community, where our principles and
philosophies are explored and put into practice. The Foundation operates Dumfries House as a visitor
attraction and a trading subsidiary, Dumfries Farming and Land Ltd and A G Carrick Ltd which runs garden
tours and visitor services at Highgrove. These operate to generate income to invest profits into the charity.
The subsidiaries are wholly owned and operated by the charity. Any information that we collect may be used
by these entities. The Foundation and the trading entities are registered as data controllers with the
Information Commissioners Office (ICO), with the following registration details:
The King’s Foundation ZA712407
Dumfries House Trust Trading Limited Z2075819
Dumfries Farming and Land Limited ZA712480
A G Carrick Limited Z1451664
The registration details can be viewed at: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/
Any enquiry about how we process associate, customer, student, employee or recruitment data, or any
questions regarding this Policy and our privacy practices should be sent by email to data@kings-foundation.org or by writing to:
The Executive Director – Estates and Operations
The King’s Foundation
Dumfries House
Cumnock
Ayrshire
KA18 2NJ
Alternatively, you can call us on +44(0)1290 425959.
When and why do we collect personal data?
Under the UK GDPR we are required to inform you of the lawful basis under which we process personal data
and to inform you of why processing your personal data is necessary. We process personal information to
enable us to:
- provide education and support services to our students and staff;
- advertise and promote The King’s Foundation and the services we offer;
- undertake research and fundraising;
- manage our accounts and records; and
- provide outreach and open programme activities to our clients/customers.
We collect and process your data under the UK GDPR lawful bases of either:
Article 6 (1)(b) Contract: the processing is necessary for a contract you have with the individual, or because
they have asked you to take specific steps before entering into a contract. OR
Article 6 (1)(c) Legal obligation: the processing is necessary for you to comply with the law (not including
contractual obligations). OR
Article 6 (1)(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate
interests of a third party.
What information do we collect?
The types of personal information that we collect may include, but is not limited to:
- Title, gender, date of birth
- Your contact details including social media details
- Contact preferences
- Your IP address location, browser type and information on how you interact with our website
- Your bank and credit card details in line with payment card industry standards
- Any other information provided by yourself to The King’s Foundation
We collect the data that we need to process the service or request you are making, for example if you enrol
as a student or buy a service. If you use our website, we may collect your IP address and record cookies on
your computer. These allow the website to function, and we do not further process this data.
How do we collect your information?
We collect the information in the following ways:
- When you interact with us directly
We may obtain personal information from you when you enquire about events or courses, for
example you complete an online booking form, register for our mailing list, complete enrolment
information, or donate.
- Information from third parties
We may also receive information about you from third party sites that we use for organising events.
We will only use information given to us by these sites if you have given them consent for your
information to be passed onto us. You should check their privacy policies when you provide any
information to understand how they will process your information. Once we have received this
information it will be covered under our privacy policy as well as the originating third party.
- Information that we get from your use of our website and services
We collect information from you on the page that your view on our sites and the information that
you request on our websites.
- Information in the public domain
We may obtain information from publicly available sources such as Local Authority websites, for example school head teacher contacts and social media.
How do we use your data?
We may use personal information in the following ways:
- If you have made an enquiry, contact you about the enquiry you have made or inform you about our
services; - If you have requested services, products, or information, provide you with services, products, or
information that you have asked for as well as information about other services, products or
information that may be of interest to you; - If you have booked an event with us or bought tickets for tours or events, then we may use your
information to send you promotional materials for future events and notifications of what is
happening within The King’s Foundation; - If you have applied to one of The King’s Foundation courses then then we will use your information
to run, develop and evaluate the Foundation’s education programs and to process your application; - If you have attended one of The King’s Foundation courses, we may use your information to keep in
contact with alumni.
Who do we share your data with?
We do not sell or rent your information to third parties. We do not share your information with third parties
for marketing purposes. Data could be passed to third parties who are working on behalf of the Foundation.
Any relationship that is entered into will be covered by a formal agreement concerning the processing of
personal data.
If The King’s Foundation was to merge with any other organisation to form a new entity, then your data may
be transferred to the new entity.
How do we protect and store your data?
All data, including personal information, is held within our secure network or cloud-based services with
restricted access. Your personal data may also be stored in documents such as student records, hospitality
databases and contact lists. We also use third-party data management, online booking, and payment systems
to, for example, send our email communications, manage our hospitality bookings and student enrolments and your name and email address may be recorded within those databases. All these databases and networks are either hosted securely through servers based in the UK or if hosted outside of the UK, are covered by a
Standard Contractual Clauses (SCC) data processing agreement between the parties, in line with ICO
guidance.
We cannot guarantee the security of any information you transmit to us by email or post. Once we receive
your information it will be protected by our data protection policies and processes.
Use of ‘cookies’
The King’s Foundation website uses cookies. ‘Cookies’ are small pieces of information sent by an organisation
to your computer and stored on your hard drive to allow that website to recognise you when you visit, to
allow you to move from page to page without having to login on every page. Cookies can also collect
statistical data about your browsing actions and patterns and do not identify you as an individual. This helps us to review and improve the information on our website. It is possible to switch off cookies by setting your
browser preferences.
When do we remove your data?
The following sets out how long you can expect us to keep your personal data:
Personal data (belonging to) | Retention period |
Applicants that have applied for employment with the organisation | For six months if your application is unsuccessful |
Employees of the organisation | For six years beyond the date employment ceases |
Students | Until you ask us to remove your personal data from our records so we can keep in contact with you about your progress |
Customers | Until you ask us to remove your personal data from our records so we can keep in contact with you about the work of The King’s Foundation |
Associates | Until you ask us to remove your personal data from our records so we can keep in contact with you about the work of The King’s Foundation |
Suppliers | Until you ask us to remove your personal data from our records so we can keep in contact with you about the work of The King’s Foundation |
What are your data rights?
Under UK GDPR you have rights regarding your personal data:
Individual right | How The King’s Foundation applies this right |
The right to be informed | This privacy policy sets out how we collect and use personal data. The policy is available on The King’s Foundation website. |
The right of access (also known as subject access requests) | Under UK GDPR, you have the right to obtain: • Confirmation that your data is being processed; • Access to your personal data; and • Other supplementary information – that corresponds to the information provided in this privacy notice. We will provide this information to you free of charge unless the request is ‘manifestly unfounded or excessive,’ when we may choose to charge an administration fee or refuse to respond. We will endeavour to provide the information as soon as possible, and never more than one month after receipt of your request. To ensure data security we will request evidence of identification before we supply any personal data. |
The right to rectification | Where you tell us that the information we hold on our records about you is incorrect, we will update the data as quickly as possible, and no longer than one month after you have let us know. |
The right to erasure (also known as the right to be forgotten) | The UK GDPR introduces the right to have your personal data erased. However, this right is not absolute and only applies in certain circumstances. You can apply to have your data removed and this will be actioned no longer than one month after you have let us know unless the data is required under contract or legal obligations of the organisation. |
The right to restrict processing | You have the right to request that we restrict the processing of your personal data in certain circumstances. For example: • you contest the accuracy of the data we hold. In this instance we will restrict your data until we have verified the accuracy of the data; • the data has been unlawfully processed, but you oppose erasure and request restriction instead. This is unlikely, however if this is the case, we will retain your data in this instance; • we no longer need the data, and it will be removed under our data retention policy, but you require us to retain the information to establish, exercise or defend a legal claim. This is unlikely, however if this is the case, we will retain your data in this instance; • you have objected to us processing your personal data under the ‘right to object’ and we are considering whether our legitimate grounds override those of the individual. In this instance we will restrict the processing of your data until the matter is resolved. |
The right to data portability | You have the right to request organisations provide you with a copy of your personal data to allow you to move, copy or transfer it from one IT environment to another. This right only applies when the lawful basis for processing personal data is consent or for the performance of a contract. |
The right to object | You have the right to object to the processing of your personal data at any time. This allows you to stop or prevent us from processing your personal data under certain circumstances. An objection may be in relation to all the personal data we hold about you or only to certain information. It may also only relate to a particular purpose we are processing the data for. If you are objecting, where we are processing information under legitimate interest, you must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your situation. |
The right to automated decision making including profiling | The King’s Foundation does not undertake any automated decision making or profiling activities in relation to personal data. |
What is the UK GDPR and what is ‘personal data’?
The UK General Data Protection Regulation (UK GDPR) is a UK law which came into effect on 1 January
2021. It sets out the key principles, rights, and obligations for most processing of personal data in the UK,
except for law enforcement and intelligence agencies. It sits alongside the Data Protection Act 2018 (DPA
2018) which sets out the data protection framework in the UK. The intention behind the UK GDPR is to give
individuals more say over how companies use and process their personal data. It is based on the EU GDPR
which applied in the UK before 1 January 2021.
In the UK, the ICO is an independent authority which upholds the UK legislation relating to Data Protection
and other public information rights.
Under UK GDPR personal data is defined as any information relating to an identified or identifiable natural
person (also known as a data subject), an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier. Personal data identifiers can include basic identity
information e.g., name, address, email addresses, date of birth, ID numbers, web data such as location, IP
address, Cookie tags.
The right to lodge a complaint with a supervisory authority
You can register a complaint about our handling of your personal data with the ICO, who are the UK’s
supervisory authority for UK GDPR. www.ico.org.uk/concerns/
More information
For more information on the UK GDPR and how it governs your personal data you can access all the detail,
definitions, and guidance from the ICO at the following links:
https://ico.org.uk/for-the-public
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/