Data Protection and GDPR policy - Rise Futures

Rise Futures needs to hold and to process large amounts of personal data about its

students, employees, applicants, business partners and other individuals in order to carry out its business and administrative functions.

By personal data, Rise Futures refers to any information relating to an identified or identifiable natural person (data subject) who can be identified, directly or indirectly by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

For data to be classified as sensitive personal data; it must fall into the following categories:

1. The racial or ethnic origin of the subject;

2. The subject’s political opinions;

3. The subject’s religious beliefs or beliefs of a similar nature;

4. Whether the subject is a member of a trade union;

5. Information on the subject’s physical or mental health condition;

6. Information on the subject’s sexual life;

7. The commission or alleged commission of an offence by the data subject;

8. Information relating to the commission or alleged commission of an offence by the data subject.

The Special Categories now specifically includes Biometric Data and Genetic Data where processed to uniquely identify an individual. (e.g. fingerprint payment systems)

This policy will apply to personal information regardless of the way it is used, recorded and stored and whether it is held in paper files or electronically.

Rise Futures is committed to being concise, clear and transparent about how it obtains and uses personal information and will ensure data subjects are aware of their rights under the legislation.

Rise Futures supports that a Data Subject is a living, identified or identifiable individual about whom we hold personal data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their personal data.

Rise Futures must have a general understanding of the law and understand how it may affect their decisions in order to make an informed judgement about how information is gathered, used and ultimately deleted.

The GDPR guidelines:

Article 5 of the GDPR contains the principles and requires that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Reasons for collecting and Processing your Personal Data

Rise Futures collects personal data (which may include Special Category Personal Data) in order to provide services and for the recruitment of employees and volunteers.

Personal data can include your name, email address, telephone number, postal address, student details, information supplied to support a successful intervention and specific personal requirements. We may also be provided with date of birth, DBS documentation, identification and address documentation, qualifications, employment information, references and CVs.

Rise Futures collects personal data including:

● young people’s records

● employee and volunteer records

● names and addresses of those making enquiries

● examination marks

● references

● young peoples stories and contacts

● well as the many different types of data used by Rise Futures

In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of law enforcement agencies, government agencies and other bodies.

The policy applies to all employees, trustees, volunteers, business partners, young people and others insofar as the measures under the policy relate to them.

We process your personal data in accordance with the General Data Protection Regulation (GDPR) and other related legislation. We will only use your personal data in accordance with this privacy statement. We may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We continually monitor our data protection policy in order to ensure that we maintain full compliance with data protection laws.

Legal basis for collecting your personal data:

To process personal data we must identify and establish a legal basis for doing so and verify this with the regulations.

We process your personal data only for the legitimate reasons that we are entitled to by the nature of Rise Futures and in a way which you would expect to be reasonable in regard to the services that we provide. We use the data provided to us for allocating mentors to young people and providing a means for Rise Futures to contact both mentors and young people and surrounding services.

We will also process personal data provided by applicants with referees from whom we may seek references, DBS service for the purposes of undertaking DBS checks, and the Disclosure and Barring Service.

We use data analytics to improve our website and internet marketing in maintaining and developing our business.

Sharing your personal data

We do not disclose your personal information to any other parties other than in accordance with this Privacy Policy. We do not transfer personal data overseas. We never pass on email addresses or contact information to any third parties for marketing purposes.

Storage and Security

We put in place security measures to provide all reasonable means to protect your personal data and when required, destroy it in a safe and compliant way. However, the internet and email are not totally secure and consequently we cannot guarantee the security of data which you send to us by these means.

Data Retention

We will keep your personal data only for as long as is necessary for us to fulfil the purpose for which it was collected. We are legally required to keep certain types of data for set periods of time.

Your Rights

The GDPR provides you with rights to protect your personal data. A right to be informed about the data that we process about you, a right to access your personal data, a right to rectify data held about you which is inaccurate or incomplete, a right to have your data deleted from our records, a right to restrict the processing of your personal data, a right to object to certain types of processing and the right to transfer your data to another organisation, a right to withdraw consent.

We are not able to delete information where we have a legal reason to keep it, to maintain our business purpose, or where the data is required to facilitate your contract with us.

You can exercise your rights by contacting us at office@risefutures.org

Cookie Policy

Cookies are small text files placed on your device by websites. They help websites to work more efficiently and improve the user's experience. Some cookies are not essential to the operation of websites but are used to provide information for the owners of the website.

We only use cookies that are necessary to enable functionality of our website. We do not collect or store information. When you first visit our website we ask you to consent to our use of cookies in accordance with this Cookie Policy.

You can disable cookies by changing the settings on your browser, information for which can be found on your browser's website. However, disabling cookies may affect how our website functions. You can find out more about cookies by visiting:

www.aboutcookies.org or www.allaboutcookies.org

External Sites

Our website provides links to other websites. Rise Futures are not responsible for these sites which may have different privacy policies.

Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case.

Personal data is subject to the legal safeguards specified in the GDPR.

Staff/volunteer/trustee records:

These may include:

● personal information (such as name, employee or teacher number, national insurance number)

● characteristics information (such as gender, age, ethnic group)

● original records of application, appointment and contract information (such as start date, hours worked, post, roles and salary information)

● work absence information (such as number of absences and reasons, career breaks, parental leave, study leave)

● work record, qualifications (and, where relevant, subjects taught)

● relevant medical information

● addresses

● other relevant payroll information

● record of appointments to promotion posts

● details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress.

Purpose for keeping staff/volunteer/trustee records

At Rise Futures, Staff data is essential for operational use and to facilitate other administrative tasks.

Young people's records

These may include:

● information which may be sought and recorded at enrolment, personal identifiers and contacts (name, address, email address, phone number, unique pupil number)

● names and addresses of parents/guardians and their contact details

● age, date of birth, sex, sexual orientation, marital status, family status

● characteristics (race, language, nationality, ethnicity, origin, colour, religious or political beliefs or associations)

● national insurance numbers, national health service numbers

● safeguarding information (such as court orders and professional involvement)

● special educational needs (including the needs and ranking)

● medical and administration (such as doctors’ information, pupil health, dental health, allergies, health care history including information on physical/mental disability, medication and dietary requirements)

● attendance (such as sessions attended, number of absences, absence reasons and any previous schools attended)

● assessment and attainment (such as school work, marks and exam results, courses enrolled for and any educational related results)

● Behavioural information (such as attendance, exclusions and any relevant alternative provision put in place)

● Trips and activities, catering management

● Identity management and authentication

● Staff development reviews

● Information on previous academic record

● ‘Team around the student’ information, names, phone number, addresses.

● Internal Rise Futures reports

Storage Format

The format in which the above records will be kept will be either manual record (personal file within filing system), computer record (database) or both. They will be kept securely in accordance with Rise Future’s data protection obligations.

Purpose for keeping student records

At Rise Futures, young people's data is essential to enable each young person to develop his/her full potential, to comply with legislative or administrative requirements, to ensure that eligible young people can benefit from the relevant interventions or financial supports, to support the provision of religious instruction, to enable parent/guardians to be contacted in the case of emergency.

Trustee records

These may include:

● Name, address and contact details of each Trustee

● Records in relation to appointments to the Trustee board

● Minutes of board of management meetings and correspondence to the board which

may include references to particular individuals

Storage Format

The format in which the above records will be kept will be either manual record (personal file within filing system), computer record (database) or both. They will be kept securely in accordance with the Rise Future’s data protection obligations.

Purpose for keeping Trustee of Management records

At Rise Futures, trustee details are essential to record board appointments and document decisions made by the board.

Section B

Details of the arrangements in place to ensure compliance with the principles set out in the GDPR.

This policy sets down the arrangements in place to ensure that all personal data records held by Rise Futures are obtained, processed, used and retained in accordance with the following principles set out in the GDPR:

Lawfulness, Fairness and Transparency

● Personal data must be processed lawfully, fairly and in a transparent manner

● Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

● Personal data must not be used for new, different or incompatible purposes from that disclosed when it was first obtained unless the data subject has been informed of the new purposes and they have consented where necessary.

Data Minimisation

● Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed

● Employees/volunteers/trustees may only process data when their role requires it. Employees/volunteers/trustees must not process personal data for any reason unrelated to their role.

● Rise Futures maintains a Retention Schedule to ensure personal data is deleted after a reasonable time for the purpose for which it was being held, unless a law requires such data to be kept for a minimum time.

● Rise Futures must take all reasonable steps to destroy or delete all personal data that is held in its systems when it is no longer required in accordance with the Schedule.

● Rise Futures must ensure that data subjects are informed of the period for which data is stored and how that period is determined in any applicable privacy notice.

Accuracy

Personal data shall be accurate and where necessary kept up to date and every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed.

Integrity and Confidentiality

Appropriate technical and organisational measures shall be taken to safeguard the rights and freedoms of the data subject and to ensure that personal information is processed in a manner that ensures appropriate security of the personal data and protects against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Transfer Limitation

In addition, personal data shall not be transferred to a country outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data as determined by the European Commission or where the organisation receiving the data has provided adequate safeguards.

Processing means anything done with personal data, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, use, disclosure, dissemination or otherwise making available, restriction, erasure or destruction.

This means that individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. It may also be possible to transfer data where the data subject has provided explicit consent or for other limited reasons.

Lawful Basis for processing personal information

Before any processing activity starts for the first time, and then regularly afterwards, the purpose(s) for the processing activity and the most appropriate lawful basis (or bases) for that processing must be selected:

● Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Rise Futures

● Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract

● Processing is necessary for compliance with a legal obligation to which Rise Futures is subject

● Processing is necessary in order to protect the vital interests of the data subject or of another natural person

● Processing is necessary for the purposes of the legitimate interests pursued by Rise Futures or by a third party

● The data subject has given consent to the processing of their data for one or more specific purposes. Agreement must be indicated clearly either by a statement or positive action to the processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If consent is given in a document which deals with other matters, the consent must be kept separate from those other matters.

For the purposes for which we will use your personal data, the information you provide to us may be transferred to and stored on our servers, or servers of third party providers.

Sometimes it may be necessary to transfer data that we collect from you to locations outside of the European Union for processing and storing. In such cases the data transferred is limited to that which is necessary for the processing purpose.

Withdrawal of consent

Data subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured. Consent may need to be reviewed if personal data is intended to be processed for a different and incompatible purpose which was not disclosed when the data subject first gave consent.

The decision as to which lawful basis applies must be documented, to demonstrate compliance with the data protection principles and include information about both the purposes of the processing and the lawful basis for it in Rise Future’s relevant privacy notice(s).

Sensitive Personal Information

Processing of sensitive personal information (known as ‘special categories of personal data’) is prohibited in line with Article 9 of GDPR unless a lawful special condition for processing is identified.

Sensitive personal information is data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or orientation or is genetic or biometric data and personal data relating to criminal offences and convictions, which uniquely identifies a natural person.

Sensitive personal information will only be processed if:

● There is a lawful basis for doing so as identified on previous page

● One of the special conditions for processing sensitive personal information applies:

● the individual (‘data subject’) has given explicit consent (which has been clearly explained in a Privacy Notice)

● the processing is necessary for the purposes of exercising the employment law rights or obligations

● the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent

● the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim

● the processing relates to personal data which are manifestly made public by the data subject

● the processing is necessary for the establishment, exercise or defence of legal claims

● the processing is necessary for reasons of substantial public interest

● the processing is necessary for purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, the provision of social care and the management of social care systems or services

● the processing is necessary for reasons of public interest in the area of public health.

Rise Futures privacy notice(s) set out the types of sensitive personal information that it processes, what it is used for, the lawful basis for the processing and the special condition that applies.

Sensitive personal information will not be processed until an assessment has been made of the proposed processing as to whether it complies with the criteria above and the individual has been informed (by way of a privacy notice or consent) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it.

Unless Rise Futures can rely on another legal basis of processing, explicit consent is usually required for processing sensitive personal data. Evidence of consent will need to be captured and recorded so that Rise Futures can demonstrate compliance with the GDPR.

Data Protection Impact Assessments

Rise Future’s processes must embed privacy considerations and incorporate appropriate technical and organisational measures in an effective manner to ensure compliance with data privacy principles.

Documentation and records

Records of processing activities must be kept and recorded including:

● the name(s) and details of individuals or roles that carry out the processing

● the purposes of the processing

● a description of the categories of individuals and categories of personal data

● categories of recipients of personal data

● details of transfers to third countries, including documentation of the transfer mechanism safeguards in place

● retention schedules

● a description of technical and organisational security measures.

● As part of Rise Future’s record of processing activities, Rise Futures will document, or link to documentation on:

● information required for privacy notices

● records of consent

● controller-processor contracts

● the location of personal information

● Data Protection Impact Assessments

● Records of data breaches.

● Records of processing of sensitive information are kept on:

● The relevant purposes for which the processing takes place, including why it is necessary for that purpose

● The lawful basis for our processing and

● Whether the personal information is retained or erased in accordance with the Retention Schedule and, if not, the reasons for not following the policy.

● Rise Futures will conduct regular reviews of the personal information it processes and update its documentation accordingly. This may include:

● Carrying out information audits to find out what personal information is held

● Talking to staff about their processing activities

● Reviewing policies, procedures, contracts and agreements to address retention, security and data sharing

Privacy Notice

Rise Futures will issue privacy notices as required, informing data subjects (or their parents/guardians, depending on age of the young person, if about young person information) about the personal information that it collects and holds relating to individual data subjects, how individuals can expect their personal information to be used and for what purposes.

When information is collected directly from data subjects, including for HR or employment purposes, the data subject shall be given all the information required by the GDPR, how and why Rise Futures will use, process, disclose, protect and retain that personal data through a privacy notice (which must be presented when the data subject first provides the data).

When information is collected indirectly (for example from a third party or publicly available source) the data subject must be provided with all the information required by the GDPR as soon as possible after collecting or receiving the data. Rise Futuresmust also check that the data was collected by the third party in accordance with the GDPR and on a basis which is consistent with the proposed processing of the personal data.

Rise Futures will issue a minimum of two privacy notices, one for young person information, and one for workforce information, and these will be reviewed in line with any statutory or contractual changes.

Individual Rights

Employees as well as any other ‘data subjects’ have the following rights in relation to their

personal information:

● To be informed about how, why and on what basis that information is processed

● To obtain confirmation that personal information is being processed and to obtain

access to it and certain other information, by making a subject access request

● To have data corrected if it is inaccurate or incomplete

● To have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (‘the right to be forgotten’)

● To restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the data to be erased) or where Rise Futures no longer need the personal information, but you require the data to establish, exercise or defend a legal claim

● To restrict the processing of personal information temporarily where you do not think it is accurate (and Rise Futures is verifying whether it is accurate), or where you have objected to the processing (and Rise Futures is considering whether its legitimate grounds override your interests)

● In limited circumstances to receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format

● To withdraw consent to processing at any time (if applicable)

● To request a copy of an agreement under which personal data is transferred outside of the EEA.

● To object to decisions based solely on automated processing, including profiling

● To be notified of a data breach which is likely to result in high risk to their rights and obligations

● To make a complaint to the ICO or a Court.

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the below.

● Request access to your personal data

● Request correction of your personal data

● Request erasure of your personal data

● Object to processing of your personal data

● Request restriction of processing your personal data

● Request transfer of your personal data

● Right to withdraw consent

● Rights in relation to automated decision making on Tutor ranking in search results

If you wish to exercise any of the rights set out above, please contact us.

To ensure that we can deal with your request as promptly as possible, please ensure you make your request as clearly as possible.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

You have the right to request that we send to you or to another organisation, an electronic copy of the personal data we hold about you in a structured, commonly used and machine-readable format, for example when you are dealing with a different service provider.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests.

Individual Responsibilities

During their employment, individuals may have access to the personal information of other members of staff, suppliers, clients or the public. Rise Futures expects individuals to help meet its data protection obligations to the data.

If you have access to personal information, you must:

● only access the personal information that you have authority to access and only for authorised purposes

● only allow other individuals to access personal information if they have appropriate authorisation

● only allow individuals who are not working with Rise Futures to access personal information if you have specific authority to do so

● keep personal information secure (e.g. by complying with rules on access to premises, computer access, password protection and secure file storage and destruction in accordance with Rise Future’s policies).

● not remove personal information, or devices containing personal information (or which can be used to access it) from Rise Future’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the information and the device

● not store personal information on local drives or on personal devices that are used for work purposes.

Information Security

Rise Futures will use appropriate technical and organisational measures to keep personal information secure, to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

All Individuals are responsible for keeping information secure in accordance with the legislation and must follow Rise Future’s acceptable usage policy.

Rise Futures will develop, implement and maintain safeguards appropriate to its size, scope and business, its available resources, the amount of personal data that it owns or maintains on behalf of others and identified risks (including use of encryption and pseudonymisation where applicable). It will regularly evaluate and test the effectiveness of those safeguards to ensure security of processing.

Individuals must guard against unlawful or unauthorised processing of personal data and against the accidental loss of, or damage to, personal data. Individuals must exercise particular care in protecting sensitive personal data from loss and unauthorised access, use or disclosure.

Individuals must follow all procedures and technologies put in place to maintain the security of all personal data from the point of collection to the point of destruction. Individuals may only transfer personal data to third-party service providers who agree in writing to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

Individuals must maintain data security by protecting the confidentiality of the personal data. This means that only people who have a need to know and are authorised to use the personal data can access it.

Individuals must maintain data security by protecting the integrity of the personal data. This means that personal data is accurate and suitable for the purpose for which it is processed.

Individuals must maintain data security by protecting the availability of the personal data.

This means that authorised users can access the personal data when they need it for authorised purposes.

Individuals must comply with and not attempt to circumvent the administrative, physical and technical safeguards.

Where Rise Futures uses external organisations to process personal information on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal information. Contracts with external organisations must provide that:

● the organisation may only act on the written instructions of Rise Futures

● those processing data are subject to the duty of confidence

● appropriate measures are taken to ensure the security of processing

● sub-contractors are only engaged with the prior consent of Rise Futures and under a written contract

● the organisation will assist Rise Futures in providing subject access and allowing individuals to exercise their rights in relation to data protection

● the organisation will delete or return all personal information to Rise Futures as requested at the end of the contract

● individuals will engage with audits and inspections, provide Rise Futures with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell Rise Futures immediately if it does something infringing data protection law.

Before any new agreement involving the processing of personal information by an external organisation is entered into, or an existing agreement is altered, the relevant staff must seek approval from the Data Protection Officer at Rise Futures.

Storage and retention of personal information Personal data will be kept securely in accordance with Rise Futures data protection obligations. Personal data should not be retained for any longer than necessary. The length of time data should be retained will depend upon the circumstances, including the reasons why personal data was obtained. Personal information that is no longer required will be deleted in accordance with Rise Future’s Record Retention Schedule.

Data breaches

A data breach may take many different forms such as:

● Loss or theft of data or equipment on which personal information is stored

● Unauthorised access to or use of personal information either by a member of staff or third party

● Loss of data resulting from an equipment or systems (including hardware or software) failure

● Human error, such as accidental deletion or alteration of data

● Unforeseen circumstances, such as a fire or flood

● Deliberate attacks on IT systems, such as hacking, viruses or phishing scams

● Blagging offences where information is obtained by deceiving the organisation which holds it

Rise Futures must report a data breach to the Information Commissioner’s Office (ICO) without undue delay and where possible within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of individuals. Rise Futures must also notify the affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

Rise futures will report a breach to www.ico.org.uk/for-organisations/ report-a-breach

Individuals should ensure they inform their line manager or Data Protection Officer immediately that a data breach is discovered and make all reasonable efforts to recover the information, following Rise Futures ’s agreed breach reporting process.

Training

Rise Futures will ensure that staff are adequately trained regarding their data protection responsibilities.

Consequences of a failure to comply

Rise Futures takes compliance with this policy very seriously. Failure to comply puts data subjects whose personal information is being processed at risk and carries the risk of significant civil and criminal sanctions for the individual and Rise Futures and may in some circumstances amount to a criminal offence by the individual.

Any failure to comply with any part of this policy may lead to disciplinary action under Rise Futures procedures and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.

If you have any questions or concerns about this policy, you should contact your line manager or the Rise Futures Data Protection Officer.

Review of Policy

This policy will be updated as necessary to reflect best practice or amendments made to the

GDPR.

Reviewed January 2021

Next review January 2022

Author: Sarah Hunter