Associate User Agreement and Data Protection Policy

In compliance with the principles of the Data Protection Act 1998


upReach Charitable Company ("the Charity") needs to keep certain information about people who use its services (including those who apply to be upReach “Associates” and those that become upReach “Associates”) to allow it to monitor performance and achievements, for example. It also needs to process information so that support can be organised and obligations to Partners and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the Charity must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998.

In summary these state that personal data shall:

  1. Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  2. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  3. Be adequate, relevant and not excessive for that purpose.
  4. Be accurate and kept up to date.
  5. Not be kept for longer than is necessary for that purpose.
  6. Be processed in accordance with the data subject's rights.
  7. Be kept safe from unauthorised access, accidental loss or destruction.
  8. Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

The Charity and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the Charity has developed this Associate User Agreement and Data Protection Policy.

2. The Data Controller and the Designated Data Controller

The Charity as a body corporate is the Data Controller under the Act, and the Trustees are therefore ultimately responsible for implementation.

The Charity has designated Ms Laura Harrisson (Programme Manager) to act as Data Controller. Any query relating to the implementation of the Data Protection Act 1998 should be referred to the Data Controller at

3. Status of the Policy

Anyone who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance.

4. Our Obligations

All upReach staff are responsible for ensuring that:

  • Any personal data, which they hold, is kept securely, for example, if it is computerised, be password-protected.
  • Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

5. Associate Obligations

Associates must ensure that all personal data provided to the Charity is accurate and up-to-date. They must ensure that the Charity is kept up-to-date with, for example, changes of telephone number or email address.

6. Rights to Access Information

As per the Data Protection Act 1998, applicants and Associates have the right to request access to any personal data that is being kept about them either on a computer or in certain files. Any person who wishes to exercise this right should contact the Charity.

In order to find out what data is currently being held about them, applicants and Associates must request disclosure of this in writing.

In all cases where data is requested, the Charity will make a charge of £10 on each occasion that access is requested. Cheques must be made payable to UPREACH CHARITABLE COMPANY.

The Charity aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 60 calendar days.

7. Subject Consent and Processing Sensitive Information

Sometimes it is necessary to process personal or sensitive information about a person's background. This is to ensure the Charity is able to operate and offer effective support.

8. Personal Data

Applying to become, or agreeing to become an Associate will be taken as agreement for the Charity to process personal data without the express consent of the individual. Some examples of the ways in which this data may be used are set out below:

  1. Informing an Associate’s university about their background information or progress.
  2. Informing an employer of an Associate’s background and progress through application processes.

A list of what information we define as personal data can be found in the Glossary section.

9. Sensitive Data

The Charity will also need to process some sensitive personal information. Applying to become or agreeing to become an Associate will be taken as agreement for the Charity to internally process any sensitive data required.

Unlike personal data, however, we will always seek your permission before sharing your sensitive information with a third party. Some examples of the why we might ask to share your personal data are set out below:

  1. Informing a Partner Employer who has requested information to help inform their recruitment decision about an Associate.
  2. Reporting to a University on diversity information about their cohort of Associates.

A list of what information we define as sensitive data can be found in the Glossary section.

10. Retention of Data

The Charity will keep some forms of information for longer than others and the Charity will need to keep some data on Associates indefinitely. This will include information required for job references as well as for future research.

Once an Associate has graduated from university, they will automatically become an alumnus enrolled in the upReach Alumni programme. If an Associate leaves the upReach programme, any sensitive information held will be anonymised (or destroyed) five years after the Associate has left this programme for those who joined upReach after 28 February 2017 and after one year for those who joined upReach prior to 28 February 2017.

All sensitive information for unsuccessful applicants will be destroyed at the end of that year’s application cycle.

11. Conclusion

Compliance with the Data Protection Act 1998 is the responsibility of all members of the Charity. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Charity facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Controller.

The Charity is obliged to abide by all legal requests for information made by law enforcement or judicial bodies.

Glossary of Terms


Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.

Personal Data

Personal data means data which relates to a living individual who can be identified:

  1. from that data; or
  2. for that data and other information which is in the possession of, or is likely to come into the possession of, the data controller; and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Examples of data which would fall into this category include:

  • Names
  • Gender
  • Date of birth
  • University details
  • Emails, phone number and personal address
  • IP address from where registration forms are sent
  • Postcode aged 16
  • Schools attended
  • A level qualifications
  • Career interests
  • Interview question answers
  • Applications

Sensitive Data

This means data which relates to sensitive aspects of a living and identifiable individual’s life

Examples of data which would fall into this category include:

  • Family income
  • Number of active guardians
  • Parents’ occupation, employment etc.
  • Student Finance arrangements
  • Information relating to siblings
  • Mitigating circumstances
  • Photos of an individual
  • Photos of student finance documents
  • Disability information
  • Equal opportunity information - ethnicity, sexual orientation, religion, marital status etc.
  • Free School Meal eligibility
  • Whether or not a person is a care leaver
  • ACORN deprivation data

Data Subject

The person who is the subject of the “personal data”.

Data Controller

A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

Data Processor

Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.


Covers almost anything which is done with or to the data, including:

  • obtaining data
  • recording or entering data onto the files
  • holding data, or keeping it on file without doing anything to it or with it
  • organising, altering or adapting data in any way
  • retrieving, consulting or otherwise using the data
  • disclosing data either by giving it out, by sending it on email, or simply by making it available
  • combining data with other information
  • erasing or destroying data
  • using the data within research


The European Data Protection Directive defines this as - any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.

Where data is “sensitive”, express consent is sought from the data subject before the data can be given to a third party.


Under the Data Protection Act a recipient is defined as any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).

Third Party

The Data Protection Act defines a “third party”, in relation to personal data, as any person other than -

  • the data controller, or
  • other persons authorised to process data by the data controller.

“Third party” does not include employees or agents of the data controller or data processor of Staff