Privacy Policy

**A-16 aspire Privacy Notice & Use of Cookies**

Purpose

upReach Charitable Company (upReach) as the producer of the aspire Guide and Assembly Pack has prepared this Privacy Notice to outline our practices regarding the collection, use, disclosure, transfer and other processing of individually identifiable information about you (“Personal Information”) collected when you use the aspire website. upReach will process any Personal Information fairly and lawfully, in accordance with this Privacy Notice and in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

In accordance with GDPR definitions, upReach, Ground Floor, Studio 18, Blue Lion Place, 237 Long Lane, London, SE1 4PU is the Data Controller, with the CEO and Trustees of upReach therefore ultimately responsible for its implementation. upReach has designated Gavin Davis, Finance Manager, as the person responsible for Data Protection matters for aspire. His contact details can be found below.

2. Information collection and use

While using our website and in our subsequent correspondence with you, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to your name and contact details (“Personal Information”).

A) Personal Information Collection

Subject to this Notice, upReach will treat as confidential the Personal Information that it collects about you. upReach may collect the following categories of Personal Information:

Your name
Email address
School year
Job title
School or organisation name
School or organisation postcode
Home postcode

B) Purposes of Use of Personal Information and Legal Basis

upReach may use the Personal Information listed above to send you the aspire Guide and/or Assembly Pack as requested, and to keep you informed of any of upReach’s activities that may be of interest to you in the future. Postcode data may be used to perform anonymised demographic analysis.

If you decide you no longer want to receive any such services or communications, you have the right to inform us and opt-out.

3. Disclosure and international transfers of personal information

For the purposes detailed above, your Personal Information may be stored on MailChimp.com, the service we use to maintain our distribution lists. You can opt-out from these communications at anytime.

If necessary and in accordance with applicable laws, upReach may disclose personal data to our outside professional advisers and to other third party processors that provide products or services to upReach, such as IT systems providers.

Where the processing of personal data is delegated to a third party data processor, upReach will choose a data processor that provides sufficient guarantees with respect to technical and organisational security measures governing the relevant processing and will ensure that the processor acts on our behalf and under our instructions.

Where third party processing or storage takes place outside the United Kingdom or EEA (European Economic Area), upReach recognises these as ‘restricted transfers’ and conducts an ‘adequacy assessment’ to ensure the proposed transfer will provide an adequate level of protection for the rights of the data subjects and takes steps to establish appropriate data protection and information security requirements with recipients to confirm that data is properly protected in accordance with this Notice and all applicable laws.

4. Use of Cookies

This site uses cookies to optimise your user experience. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.

By using this site you are consenting to our use of these cookies.

5. Log Data

Like many site operators, we collect information that your browser sends whenever you visit our website (“Log Data”).

This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our website that you visit, the time and date of your visit, the time spent on those pages and other statistics. This helps us to improve the site by monitoring how you use it.

We may use third party services such as Google Analytics and Hotjar to collect, monitor and analyze this in order to help us measure traffic and usage trends for the website. We collect and use this analytics information in aggregate form such that it cannot reasonably be manipulated to identify any particular individual user.

6. Changes to the Notice

Should upReach decide to substantially modify the manner in which it collects or uses Personal Information, the type of Personal Information that it collects or any other aspect of this Notice, upReach will notify you as soon as possible of such changes by re-issuing a revised Notice on our website (http://aspire.upreach.org.uk).

7. Accuracy of and access to your personal information (subject access requests)

You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in General Data Protection Regulation (GDPR). In addition, you have the right to have inaccurate Personal Information corrected or removed and to object to the processing of your Personal Information. If you wish to access such Personal Information, you should apply in writing to the person on the contact details below or at the email address set out on our website (http://aspire.upreach.org.uk).

To assist us in maintaining accurate Personal Information, you must advise us of any changes to your Personal Information. In the event that upReach becomes aware of any inaccuracy in the Personal Information that it has recorded, upReach will correct that inaccuracy at the earliest practical opportunity.

8. Retention of Data

upReach will retain any information provided for the purpose(s) for which it was collected for up to 6 (six) years.

9. Security

upReach maintains appropriate technical and organisational security measures including staff training to protect Personal Information against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access, in compliance with applicable laws.

10. Links to Other Websites and Services

upReach is not responsible for the practices employed by websites or services linked to or from its website (http://aspire.upreach.org.uk) including the information or content contained therein. Please remember that when you use a link to go from this site to another website, our Privacy Notice does not apply to third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link or advertisement on our website, are subject to that third party’s own rules and policies.

11. Questions?

Please address all questions to Gavin Davis, Finance Manager at upReach: gavin.davis@upreach.org.uk

Glossary of Terms

Adequacy Assessment

An assessment of the risk of transferring data outside the EEA ensuring protection is adequate in all the circumstance of the case. The assessment considers the nature of the data, the risk to the rights of the individual, the purposes and period of transfer.

Consent

GDPR defines this as any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.

Where data is “sensitive”, express consent is always sought from the data subject before the data can be given to a third party.

Data

Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.

Personal Data

Personal data means any information relating to a living individual who can be identified:

Examples of data which would fall into this category include:

Name
Gender
Date of birth
University details
Emails, phone number and personal address

Special Category Data

This means data which relates to more sensitive aspects of a living and identifiable individual’s life

Data which falls into this category includes:

Race
Ethnic origin
Politics
Religion
Trade Union Membership
Genetics
Biometrics (when used for ID purposes)
Health
Sex life
Sexual orientation

Data Subject

The person who is the subject of the “personal data”.

Data Controller

A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

Data Processor

Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.

Limited Exceptions

Processing of personal and sensitive data including responding to a Subject Access Request may, in rare circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include:

the prevention or detection of crime; the capture or prosecution of offenders; and the assessment or collection of tax or duty.

Processing

Covers almost anything which is done with or to the data, including:

obtaining data
recording or entering data onto the files
holding data, or keeping it on file without doing anything to it or with it
organising, altering or adapting data in any way
retrieving, consulting or otherwise using the data
disclosing data by giving it out, sending it on email, or simply making it available
combining data with other information
erasing or destroying data
using the data within research

Recipient

Any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).

Restricted Transfer

A transfer of personal data outside the protection of the GDPR most often involves a transfer from inside the EEA to a country outside the EEA.

Subject Access Request

The process by which individuals can find out what personal or sensitive data an organisation holds about them, why they hold it and who they disclose it to.

Third Party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.

A-16: aspire Privacy Notice and Use of Cookies
Prepared by: Gavin Davis
Effective from: 15/10/2020
Review on or before: 15/10/2021