upReach Charitable Company (upReach) as the producer of the aspire Guide and Assembly Pack has prepared this Privacy Notice to outline our practices regarding the collection, use, disclosure, transfer and other processing of individually identifiable information about you (“Personal Information”) collected when you use the aspire website. upReach will process any Personal Information fairly and lawfully, in accordance with this Privacy Notice and in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
In accordance with GDPR definitions, upReach, Ground Floor, Studio 18, Blue Lion Place, 237 Long Lane, London, SE1 4PU is the Data Controller, with the CEO and Trustees of upReach therefore ultimately responsible for its implementation. upReach has designated Gavin Davis, Finance Manager, as the person responsible for Data Protection matters for aspire. His contact details can be found below.
2. Information collection and use
While using our website and in our subsequent correspondence with you, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to your name and contact details (“Personal Information”).
A) Personal Information Collection
Subject to this Notice, upReach will treat as confidential the Personal Information that it collects about you. upReach may collect the following categories of Personal Information:
- Your name
- Email address
- School year
- Job title
- School or organisation name
- School or organisation postcode
- Home postcode
B) Purposes of Use of Personal Information and Legal Basis
upReach may use the Personal Information listed above to send you the aspire Guide and/or Assembly Pack as requested, and to keep you informed of any of upReach’s activities that may be of interest to you in the future. Postcode data may be used to perform anonymised demographic analysis.
If you decide you no longer want to receive any such services or communications, you have the right to inform us and opt-out.
3. Disclosure and international transfers of personal information
For the purposes detailed above, your Personal Information may be stored on MailChimp.com, the service we use to maintain our distribution lists. You can opt-out from these communications at anytime.
If necessary and in accordance with applicable laws, upReach may disclose personal data to our outside professional advisers and to other third party processors that provide products or services to upReach, such as IT systems providers.
Where the processing of personal data is delegated to a third party data processor, upReach will choose a data processor that provides sufficient guarantees with respect to technical and organisational security measures governing the relevant processing and will ensure that the processor acts on our behalf and under our instructions.
Where third party processing or storage takes place outside the United Kingdom or EEA (European Economic Area), upReach recognises these as ‘restricted transfers’ and conducts an ‘adequacy assessment’ to ensure the proposed transfer will provide an adequate level of protection for the rights of the data subjects and takes steps to establish appropriate data protection and information security requirements with recipients to confirm that data is properly protected in accordance with this Notice and all applicable laws.
By using this site you are consenting to our use of these cookies.
5. Log Data
Like many site operators, we collect information that your browser sends whenever you visit our website (“Log Data”).
This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages and other statistics. This helps us to improve the site by monitoring how you use it.
We may use third party services such as Google Analytics and Hotjar to collect, monitor and analyze this in order to help us measure traffic and usage trends for the website. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual user.
6. Changes to the Notice
Should upReach decide to substantially modify the manner in which it collects or uses Personal Information, the type of Personal Information that it collects or any other aspect of this Notice, upReach will notify you as soon as possible of such changes by re-issuing a revised Notice on our website (http://aspire.upreach.org.uk).
7. Accuracy of and access to your personal information (subject access requests)
You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in General Data Protection Regulation (GDPR). In addition, you have the right to have inaccurate Personal Information corrected or removed and to object to the processing of your Personal Information. If you wish to access such Personal Information, you should apply in writing to the person on the contact details below or at the email address set out on our website (http://aspire.upreach.org.uk).
To assist us in maintaining accurate Personal Information, you must advise us of any changes to your Personal Information. In the event that upReach becomes aware of any inaccuracy in the Personal Information that it has recorded, upReach will correct that inaccuracy at the earliest practical opportunity.
8. Retention of Data
upReach will retain any information provided for the purpose(s) for which it was collected for up to 6 (six) years.
upReach maintains appropriate technical and organisational security measures including staff training to protect Personal Information against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access, in compliance with applicable laws.
10. Links to Other Websites and Services
upReach is not responsible for the practices employed by websites or services linked to or from its website (http://aspire.upreach.org.uk) including the information or content contained therein. Please remember that when you use a link to go from this site to another website, our Privacy Notice does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies.
Please address all questions to Gavin Davis, Finance Manager at upReach: email@example.com
Glossary of Terms
An assessment of the risk of transferring data outside the EEA ensuring protection is adequate in all the circumstance of the case. The assessment considers the nature of the data, the risk to the rights of the individual, the purposes and period of transfer.
GDPR defines this as any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.
Where data is “sensitive”, express consent is always sought from the data subject before the data can be given to a third party.
Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.
Personal data means any information relating to a living individual who can be identified:
Examples of data which would fall into this category include:
- Date of birth
- University details
- Emails, phone number and personal address
Special Category Data
This means data which relates to more sensitive aspects of a living and identifiable individual’s life
Data which falls into this category includes:
- Ethnic origin
- Trade Union Membership
- Biometrics (when used for ID purposes)
- Sex life
- Sexual orientation
The person who is the subject of the “personal data”.
A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.
Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.
Processing of personal and sensitive data including responding to a Subject Access Request may, in rare circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include:
- the prevention or detection of crime; the capture or prosecution of offenders; and the assessment or collection of tax or duty.
Covers almost anything which is done with or to the data, including:
- obtaining data
- recording or entering data onto the files
- holding data, or keeping it on file without doing anything to it or with it
- organising, altering or adapting data in any way
- retrieving, consulting or otherwise using the data
- disclosing data by giving it out, sending it on email, or simply making it available
- combining data with other information
- erasing or destroying data
- using the data within research
Any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).
A transfer of personal data outside the protection of the GDPR most often involves a transfer from inside the EEA to a country outside the EEA.
Subject Access Request
The process by which individuals can find out what personal or sensitive data an organisation holds about them, why they hold it and who they disclose it to.
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.
Prepared by: Gavin Davis
Effective from: 15/10/2020
Review on or before: 15/10/2021