upReach Associate User Agreement

1. Introduction

upReach needs to keep certain information about the people who use its services. This includes applicants who register to become upReach Associates and those that are subsequently accepted and become upReach Associates and then Alumni. This is necessary for upReach to carry out its work and measure its impact. We also need to process information so that support can be organised and obligations to partners and government complied with.

upReach is committed to ensuring that any information provided by Associates (and those that register to become Associates) is collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this upReach complies with all applicable laws and regulations and observes the Data Protection Principles, which are set out in the General Data Protection Regulation (GDPR).

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent way;
  2. collected only for valid and explicit purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. kept only as long as necessary for the purposes we told you about; and
  6. processed securely using appropriate technical or organisational measures.

upReach, it’s staff and others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, we have developed this Associate User Agreement.

2. The Data Controller and person responsible for Data Protection

In accordance with GDPR definitions, upReach is the Data Controller, with the CEO and Trustees therefore ultimately responsible for its implementation.

upReach has designated the Operations Manager, Nicola Lewis as the person responsible for Data Protection at upReach. Any queries relating to this Associate User Agreement, upReach data protection policy or implementation of GDPR should be referred to her at nicolal@upreach.org.uk.

3. Status of the Policy

upReach is committed to following this agreement and takes seriously any breaches. If you feel that this policy has not been followed in respect of your personal data please contact the Operations Manager immediately who will take appropriate action.

4. upReach Obligations

All employees of upReach have some responsibility for ensuring data is collected, stored and handled appropriately in line with the Data Protection Principles set out in Article 5 of the GDPR and have received appropriate training. In addition all upReach staff are responsible for ensuring:

  • Associate data is not shared informally for any purpose. Access to the data is restricted and will only be used by those who have legitimate reason.
  • Any personal data, which they hold, is kept securely, for example, if it is computerised, be protected by a strong password that is never shared.
  • Associate data is not disclosed to unauthorised people, internally or externally.

The Operations Manager and CEO are responsible for ensuring all implemented and new systems, services and equipment used for storing data meet acceptable security standards and perform regular checks to ensure proper functionality.

upReach is obliged to abide by all legal requests for information made by law enforcement or judicial bodies.

5. Associate Obligations

Associates must ensure that all personal data provided to the Charity is accurate and up-to-date. They must ensure that the Charity is kept up-to-date with, for example, changes of telephone number or email address.

6. Right to Access Information

You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in General Data Protection Regulation (GDPR). In addition, you have the right to have inaccurate Personal Information corrected or removed and to object to the processing of your Personal Information. If you wish to access such Personal Information, you should apply in writing to the Operations Manager of upReach at the address set out on our website (http://upreach.org.uk).

In the event that upReach becomes aware of any inaccuracy in the Personal Information that it has recorded, upReach will correct that inaccuracy at the earliest practical opportunity.

7. Associate Consent and Processing Sensitive Information

To apply to become or become an upReach associate requires you to accept the terms of this Associate User Agreement. This consent is the Legal Basis which allows upReach to process the personal data you provide in order to carry out our work and help deliver the services we offer. We also use the data for impact measurement and evaluating the success of our programme.

Some examples of the ways in which this data may be used are set out below:

  • Informing an Associate’s university about their progress.
  • Informing an employer of an Associate’s background and progress through the upReach application processes.

A list of what information we define as personal data can be found in the Glossary section below.

8. Sensitive Data

We will also need to process some sensitive personal information. Accepting the terms of this Associate User Agreement also allows upReach to process the sensitive data you provide in order to deliver our services.

Unlike personal data, however, we will always seek your permission before sharing your sensitive information with a third party. Some examples of the why we might ask to share your personal data are set out below:

  • Informing a Partner Employer who has requested information to help inform their recruitment decision about an Associate.
  • Reporting to a University on diversity information about their cohort of Associates.

A list of what information we define as sensitive data can be found in the Glossary section.

9. Retention of Data

upReach will maintain Personal Information for only as long as it is required to do so by or for as long as necessary for the purpose(s) for which it was collected.

Once an Associate has graduated from university, they will automatically become an alumnus enrolled in the upReach Alumni programme. For the duration of the Alumni programme all data will be retained. If you withdraw from the Alumni Programme any sensitive and personal information that could personally identify you such as name, email address or phone number will be deleted.

If an Associate, who joined upReach as an Associate after 28 February 2017, leaves the upReach programme (or Alumni programme), any personal or sensitive information held that could personally identify you will be deleted five years after the Associate has left this programme.

The personally identifiable Personal or Sensitive data of Associates who joined the programme prior to 28 February 2017 and have since left the programme has already been deleted.

The personally identifiable Personal or Sensitive data of unsuccessful Associate applicants will be deleted on an annual basis in July.

Any Associate who leaves the programme can at any time request that their data is destroyed rather than the personally identifiable elements removed.

10. Conclusion

Compliance with GDPR is the responsibility of all members of upReach. Any deliberate breach of GDPR or this Associate User Agreement may lead to disciplinary action being taken, or access to Charity facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Operations Manager.


Glossary of Terms

GDPR defines this as any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed. Consent can be withdrawn after it has been given.  Where data is “sensitive”, express consent is always sought from the data subject before the data can be given to a third party.

Any information which will be processed, or, used on or by a computerised system, additionally it also includes information contained within a “relevant filing system” of information. Data can therefore be written, tape, photographic or digital.

Personal Data
Personal data means any information relating to a living individual who can be identified:

Examples of data which would fall into this category include:

  • Names
  • Gender
  • Date of birth
  • University details
  • Emails, phone number and personal address
  • IP address from where registration forms are sent
  • Postcode aged 16
  • Schools attended
  • A level qualifications
  • Career interests
  • Interview question answers
  • Applications and application status outcomes

Sensitive Data (termed Special Category under GDPR)
This means data which relates to sensitive aspects of a living and identifiable individual’s life

Examples of data which would fall into this category include:

  • Family income
  • Number of active guardians
  • Parents’ occupation, employment etc.
  • Student Finance arrangements
  • Information relating to siblings
  • Mitigating circumstances
  • Photos of an individual
  • Photos of student finance documents
  • Disability information
  • Equal opportunity information eg ethnicity, sexual orientation, religion, marital status e
  • Free School Meal eligibility
  • Whether or not a person is a care leaver
  • POLAR 3 / POLAR 4 data
  • ACORN deprivation data

Data Subject
The person who is the subject of the “personal data”.

Data Controller
A person who determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

Data Processor
Any person (other than an employee of the data controller) who processes data on behalf of the data controller. The data controller retains responsibility for the actions of the data processor.

Limited Exceptions
Processing of personal and sensitive data including responding to a Subject Access Request may, in rare circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include:

  • the prevention or detection of crime;
  • the capture or prosecution of offenders; and
  • the assessment or collection of tax or duty.

Covers almost anything which is done with or to the data, including:

  • obtaining data
  • recording or entering data onto the files
  • holding data, or keeping it on file without doing anything to it or with it
  • organising, altering or adapting data in any way
  • retrieving, consulting or otherwise using the data
  • disclosing data either by giving it out, by sending it on email, or simply by making it available
  • combining data with other information
  • erasing or destroying data
  • using the data within research

Any person to whom the data are disclosed, including any person to whom they are disclosed in the course of processing the data for the Data Controller (e.g. an employee of the data controller, a data processor or employee of the data processor).

Subject Access Request
The process by which individuals can find out what personal or sensitive data an organisation holds about them, why they hold it and who they disclose it to.

Third Party
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor are authorised to process personal data.

  • the data controller, or
  • other persons authorised to process data by the data controller.

“Third party” does not include employees or agents of the data controller or data processor of Staff




upReach Associate User Agreement

Prepared by:

Nicola Lewis

Effective from:


Review on or before: