upReach Associate User Agreement
This upReach Associate User Agreement (“Agreement”) sets forth upReach Charitable Company’s ("upReach", "we", "our","or","us") practices regarding the collection and processing of individually identifiable data from prospective applicants (“Applicant(s)”), individuals accepted into upReach’s programme (“Associate(s)”), or upReach Associates who have transitioned into alumni status (“Alumni”) (each, an “Upreach User,” collectively, the “Upreach Users,” “you” or “your”).
upReach collects and retains certain information about individuals using, or attempting to use, upReach’s services. We collect this data for various purposes and at different times in furtherance of upReach’s mission, purpose, and services, as detailed in this Agreement. This Agreement should be read in conjunction with our Privacy Notice, which can be found at https://upreach.org.uk.
By applying to become an upReach Associate, or providing upReach with personal data, you consent to the terms of this Agreement, upReach’s processing of your personal data (as further detailed in this Agreement), and the purposes for which your personal data is processed. You understand and agree that upReach will process personal data and certain types of special category data to deliver services to you and our Partners (as defined herein), as well as to measure, evaluate, and report upReach’s services and impact. You also understand and agree that upReach’s processing of personal data and special category data includes your time as an Applicant, Associate, or as an Alumni.
Notwithstanding, there are occasions where you may not want us to share certain data with upReach partner employers or partner universities (each, a “Partner,” and collectively the “Partners”). There may also be instances where you choose to withdraw consent to process data, where you previously provided such consent to upReach. It is within your legal right to withdraw such consent at any time. To withdraw consent, or to request certain information not be processed or shared, please send the full details of your request to Gavin Davis, at firstname.lastname@example.org.
Providing consent to process data is not a precondition to service. Even still, choosing to withhold consent, withdraw consent, or request that certain data not be processed may limit upReach’s ability to provide services.
3. Data Controller Information and Principles.
upReach, located at Ground Floor, Studio 18, Blue Lion Place, 237 Long Lane, London, SE1 4PU, the Chief Executive Officer, and the Trustees are the “Data Controller” as the term is both defined in this Agreement and by the General Data Protection Regulation (“GDPR”). upReach has designated Gavin Davis, as the person responsible for data protection matters at upReach. Her contact details can be found on page 5 of this Agreement.
upReach is committed to ensuring that any information provided by Applicants, Associates, and Alumni (either directly or indirectly) is collected, processed, and protected in accordance with all applicable laws. Such laws include the Data Protection Act 2018 and GDPR, including Article 5 of GDPR that requires personal data be:
Processed lawfully, fairly, and in a transparent manner;
Adequate, relevant, and limited to what is necessary in relation to the purposes for which the personal data is processed;
Accurate and, where necessary, kept up to date, whilst taking reasonable steps to ensure inaccurate personal data is erased or rectified without delay (when considering the purpose(s) for which the personal data is processed);
Kept in a form that permits identification only so long as necessary for the purposes described in this Agreement; and
Both processed securely and protected using appropriate technical or organisational measures.
upReach, its staff, and its data processors processing personal data shall comply with these principles at all times.
4. Information Collection and Use.
Subject to this Agreement, upReach will treat as confidential the personal data that it collects about upReach Users.
A. Collection of Personal Data and Special Category Data.
The categories of personal data we may collect include, without limitation:
Date of birth;
Educational details including educational institutions, modules, and grades;
Personal and university email addresses, Skype identification information, phone number(s), and postal address(es);
Social media profiles and identification including profiles on Facebook, LinkedIn, and WhatsApp;
Free school meals eligibility status;
Refugee or asylum seeker status;
Time in care;
Parent(s), carer(s), or guardian(s) occupation, university status, or both;
Household income and university financial information (as those terms are defined by each upReach User’s applicable university or institution);
Bank details; or
Likewise, we only collect certain ‘special category’ data that includes information about:
B. Purposes of Use - Personal Data and Special Category Data.
upReach may share information about upReach Users including, without limitation:
Informing an upReach User’s university about his or her interest in, or progress through, upReach’s programme;
Informing Partners about an upReach User’s status and engagement with our programme, including use of our resources and outcomes, mentor details, or attendance at upReach events;
Sharing the data upReach Users provide to us when completing REALrating, getEmployable, or both, with Partners (including Indicators of Disadvantage (as defined below));
Informing a partner employer of an Associate’s background and progress through the partner employer’s application process(es), including interview responses, application outcomes, and upReach recommendations for supporting an Associate’s application;
Sharing information with a partner employer who has requested information to help inform their recruitment decision about an Associate; or
Reporting diversity data to partner universities about their cohort of Associates.
5. upReach’s Legal Bases for Processing Personal Data.
In accordance with Article 6 of GDPR, we rely on certain legal bases to process your data. Your consent (as demonstrated by accepting the terms of this Agreement, providing upReach with your personal data, or both) is the primary legal basis permitting upReach to process the personal data you provide to us.
We may also rely on two (2) other legal bases under Article 6 to process your data: (i) legal obligations (such as legal or regulatory requirements, like court orders); or (ii) a contractual basis, such as this Agreement, where you and upReach contractually agree to certain obligation and rights. It is important to note that upReach is obliged to abide by all legal requests for information made by law enforcement, judicial bodies, or other applicable legal or regulatory bodies.
We process special category data in accordance with Article 9 of GDPR. This includes processing special category data based on your explicit consent, as well as processing this data as part of our legitimate work as a not-for-profit organisation.
6. upReach Obligations.
All upReach staff have some responsibility for ensuring data is processed and protected in accordance with applicable laws and regulations, and receive training accordingly. upReach staff ensure upReach Users’ data is secured, restricted, and shared in accordance with the terms of this Agreement and only for the purposes stipulated in this Agreement.
upReach’s Product Manager and its Legal and Risk Management ensure all systems, services, and equipment used to process and protect personal data meet acceptable security standards and perform regular checks to ensure proper functionality. The CEO and Legal and Risk Management also ensure compliance with the terms of this Agreement.
7. Associate Obligations.
upReach Users are responsible for ensuring personal data provided to upReach is accurate and up-to-date.
8. Right to Access and Accuracy Personal Data.
You are entitled to request and access the information that upReach holds about you (subject to limited exceptions), as stated in the Data Protection Act 2018, GDPR, and other applicable laws and regulations. In addition, you are entitled to have inaccurate personal data corrected or erased, and to object to the processing of your personal data. If you wish to access such personal data, you should send your request via email to Gavin Davis, at email@example.com. If upReach becomes aware of an inaccuracy in your personal data, upReach will take every reasonable step to correct the inaccuracy.
You have other rights related to your data as well. These rights include the right to:
Request access to your personal data;
Object to the processing of your personal data;
Request restriction of processing your personal data; and
Request transfer of your personal data.
9. Retention of Personal Data.
upReach will only retain the minimum necessary personal data about you, and only for so long as it is required to either: (i) fulfil the purposes stated in this Agreement; or (ii) maintain personal data to comply with applicable laws and regulations. Data will be erased in line with upReach’s normal data retention policy. In particular:
A. Erasure of Data for Unsuccessful Applicants. Unsuccessful Applicants are those Applicants who are unsuccessful in becoming upReach Associates for any reason, including personal withdrawal from the application process. All personal data, including any special category data, belonging to unsuccessful Applicants will be deleted annually on 15th July.
B. upReach Associates and Alumni. upReach will automatically erase all Associate and Alumni personal data and special category data five (5) years after the upReach Associate or Alumni leaves upReach’s programme. Any Alumni or Associate may also request personal data be erased by following the procedure indicated in this Agreement.
Any deliberate breach of data protection legislation, upReach data protection policies, or this Agreement may lead to disciplinary action being taken, up to and including dismissal from the organisation, legal action, or both. Any questions or concerns about the interpretation, application, or operation of this Agreement should be discussed with Legal and Risk Management.
upReach is committed to following this Agreement and takes seriously any violations or breaches. If you feel that this Agreement has not been followed in respect of your personal data please contact Legal and Risk Management immediately per the contact information below.
Role: Contact Information
Data Controller: upReach Charitable Company
Data Controller Designee: John Craven, CEO
Data Controller Designee Email: John@upreach.org.uk
Data Protection Designee: Gavin Davis, Finance Manager
Data Protection Designee Email: firstname.lastname@example.org
Data Protection Designee Address: Ground Floor, Studio 18, Blue Lion Place, 237 Long Lane, London, SE1 4PU
Glossary of Terms
Consent. Freely given, specific, informed and unambiguous indication of a data subject’s wishes, whereby the data subject signifies by statement, or clear and affirmative action, his or her agreement to the processing of his or her personal data.
Data. Any information which will be processed or used on or by a computerised system, including information contained within a “relevant filing system” of information.
Data Subject. The person who is the subject of the “personal data.”
Data Controller. A natural or legal person who determines (jointly or alone) the purposes and the manner in which, any personal data are, or will be, processed.
Data Processor. Any person who processes data on behalf of the data controller.
Indicators of Disadvantage. “Indicators of Disadvantage” include, without limitation, school performance, eligibility for free school meals, caring responsibilities, time in care, or postcode information. Limited Exceptions. Processing of personal and special category data including responding to a Subject Access Request may, in some circumstances, be restricted when personal data is subject to situations involving “crime and taxation purposes” which include, without limitation the:
Prevention or detection of crime
Capture or prosecution of offenders; or
Assessment or collection of tax or duty.
Personal Data. Any information relating to an identified or identifiable natural person (‘data subject’). An ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing. Covers almost anything which is done with, or to, the data, including:
recording or entering data onto the files;
holding data, or keeping it on file without doing anything to it or with it;
organising, altering, or adapting data in any way;
retrieving, consulting, or otherwise using the data;
combining data with other information;
erasing or destroying data; or
using the data within research.
Recipient. Any person to whom personal data is disclosed, including any person to whom personal data is disclosed in the course of processing personal data for the data controller (e.g., an employee of the data controller, a data processor, or an employee of the data processor).
Subject Access Request. The process by which individuals can determine what personal or special category data an organisation holds about them, why they hold it, and with whom the personal or special category data is shared.
Third Party. A natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor and persons who under the direct authority of the controller or processor authorised to process personal data.
Name: Gavin Davis
A-01 upReach Associate UserAgreement
Prepared by: Nicola Lewis & Stephanie Hudson
Effective from: 27/11/2018
Review on or before: 26/11/2019