If you have a question regarding our Privacy Policy, please reach out to our Lead and Data Privacy point of contact Holly Parrish via lead@head-up.org

Head Up! Privacy Policy

Last updated: November 2024

 

Contents

Privacy statement
 
Our Privacy Motto 
 

Definitions 

1. Data collection 

1.1 Mentees 

1.2 Mentors 

1.3 Content Contributors 

1.4 Donors 

1.5 Team Members 

1.6 Visitors to our Site and social media pages 

1.7 Further data collection 

2. Cookies and analytics 

3. Data processing 

4. Who can access your personal information 

5. Data sharing 

6. Aggregated and anonymised data 

7. Data security 

8. Data retention

9. Rights 

10. Third party websites

11. Changes to our Policy

 

Privacy statement

Undertaken on behalf of Head Up!, a non-profit organisation, and its committee as constituted at the date of publication. Lead and data privacy point of contact: Holly Parrish (lead@head-up.org)

At Head Up! we have a strong commitment to protect the privacy of all individuals in respect of which it processes information. We will only collect and use information in a manner consistent with your rights and our obligations under applicable law.

This Privacy Policy (the “Policy”) describes how information about you is collected and used by us or shared with others, how we safeguard it and how you may access and control its use.

This Policy applies to visitors to our website located at  www.head-up.org  (the “Site”) inclusive of any sub-domains of the Site, our social media pages, and to all users or potential users (mentees and mentors) of our services (the “Services”).

Protecting your privacy is paramount to us. Please read the following carefully to understand our views and practices regarding your information. By using the Site and the Services and/or otherwise interacting with Head Up!, you consent to us processing your personal data and other information in accordance with this Policy.

If you do not accept and agree with this Privacy Policy then you must stop using our Services immediately.

If you have any questions, concerns or comments about this Policy, please contact us at lead@head-up.org.

 

Our Privacy Motto

  1. We are transparent about the information we hold about you.
  2. We will work with you to keep your information accurate and current.
  3. We will do our best to keep your information secure and prevent unauthorised access to it.
  4. We will delete information when it is no longer required to deliver our Services or when you ask us to do so and we have no legal obligation to retain such information.

 

Definitions

For the purpose of the General Data Protection Regulation (UK GDPR)  (the “GDPR”), the Data Controller is Head Up!. Head Up! refers to the non-profit organisation and registered society at the University of Cambridge. During the course of our activities,  we  will process personal data about you in accordance with the GDPR.

“Personal data” means information we hold about you from which you can be or are identified. Personal data may be held in paper or electronic format or in another recorded form. It may include the following information: your name, contact details (personal and/or work details), next of kin details, criminal offences, financial background, educational background, university preferences, and expressions of opinion about you.

Processing” means doing anything with  personal data, such as accessing, disclosing, destroying, transferring, holding, amending, deleting or using the personal data.

“Head Up!” and “the scheme” refer to the Head Up! access organisation and the mentoring programme organised by it respectively.

“Mentors” refers to current and former university students who have completed the sign-up process to register themselves as mentors under the scheme.

“Mentees” refers to young people who have completed the application for assistance under the scheme.

“Mentoring” refers to participation in any form in the mentoring scheme, to assist, intend to assist or help others in assisting prospective students via the scheme or to receive or intend to receive such assistance, and to all personal communication between mentors and mentees.

“Head Up! Committee” refers to the people who organise and run Head Up! and have access to data used within it; this is a limited and specific group of individuals as named on the website, this list will be updated as appropriate such that it reflects the full and current list of people who have access to user data.

“We” and “us” refers to Head Up! in its legal capacity as an autonomous organisation and otherwise to all members of the committee.

We will comply with the six key principles in the GDPR. Your personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not  be considered to be  incompatible with the initial purposes (‘purpose limitation’);
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

1. Data collection

We are an organisation which aims to promote the interests of young people with disabilities, physical and/or mental health conditions, specific learning difficulties and who are neurodivergent; offering them practical advice and support concerning their education and welfare. This may be in the form of online content (social media content and website articles) and mentoring. We continuously expand our network and our focus is on building close, long-term relationships that enable us to deliver this service free of charge to those who need it. For our mentoring scheme, we collect personal data from our users insofar as it is necessary to verify their identity and understand their background for the purposes of matching mentors and mentees with similar lived experience, which activity is within our remit as a charitable access organisation.

We collect six categories of personal data:

  1. Personal data we collect from Mentees.
  2. Personal data that we collect from Mentors.
  3. Personal data that we collect from Content Contributors.
  4. Personal data that we collect from Donors.
  5. Personal data that we collect from Team Members.
  6. Personal data we get from Visitors to our Site and social media pages.

We may collect and process the following data about you:

  1. Information that you provide by filling in forms on the Site.
  2. Information that you share with us over email or social media exchanges and in questionnaires.

1.1 Mentees

We collect the following personal data when Mentees sign up to our mentorship platform:

  1. Full legal name (users who have a different preferred name may provide it if they choose, if given consent will be assumed on the same basis)
  2. Date of birth
  3. Contact details: email for the mentee; name, email, and phone number for their parent/guardian/nominated authority contact (if both are provided equal consent is assumed for use of both), address
  4. School year and type (state or private)
  5. Disability or condition; it is compulsory to list a general class (eg. neurodivergence, mobility impairment), mentees may also choose to give more detail of their specific condition; providing this information will be taken as consent to the holding and required disclosure of it on the same basis as the other information provided. Conditions may be listed whether formally diagnosed or not.
  6. Match preference (whether they would prefer a mentor who shares their subject interest or condition)
  7. Subject and university interest (this is optional but sharing consent will be assumed on the same basis as the other information if it is provided)
  8. Accessibility requirements
  9. Diversity monitoring data: demographics, socioeconomic background, geography, access to information

Our lawful basis for processing is consent, with the purpose of raising and fulfilling a contract. We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018). We will match Mentees and Mentors based on the personal data provided. However, any decision for matching will have the final sign-off by a Head Up! team member.

Mentoring communications and meetings will be recorded, for safeguarding purposes. This data is stored by the Mentor and accessed by Head Up! only in the event of safeguarding concerns being raised. Mentees and mentors must also copy in Head Up! Safeguarding on all their email exchanges.

For the handling of data generated during a safeguarding report, please view the Child Protection / Vulnerable Adult Records Retention and Storage Policy in our Safeguarding policy document and in this document Section 4: Who can access your information and Section 5: Data sharing.

1.2 Mentors

We collect the following personal data when potential Mentors complete our Expression of Interest form:

  1. Full legal name (users who have a different preferred name may provide it if they choose, if given consent will be assumed on the same basis)
  2. Contact email
  3. Undergraduate/Graduate status
  4. DBS status
  5. University (including college).

Our lawful basis for processing is consent.

In addition to the above, we collect the following personal data when Mentors sign up to join our mentorship platform:

  1. Address (both university and home, if applicable);
  2. Telephone contact number;
  3. Date of birth;
  4. DBS Status and certificate; (in addition to personal information already listed under information we collect, DBS certificates note place of birth, gender, employer details, and criminal record history);
  5. Proof of identification;
  6. Any potential physical / mental health disabilities, whether formally diagnosed or not; (it is compulsory to list a general class (eg. neurodivergence, mobility impairment), mentors may also choose to give more detail of their specific condition; providing this information will be taken as consent to the holding and required disclosure of it on the same basis as the other information provided);
  7. Any mentoring experience;
  8. Reference from a tutor;
  9. Membership of any national professional bodies;
  10. Accessibility requirements;
  11. Diversity monitoring data such as demographics, socioeconomic background, geography and access to information;
  12. Educational background data such as school, offers received and past degrees (if applicable); and
  13. University data such as university name, course, college, entry dates and graduation dates.

In addition to the above, we require mentors to share the recordings of their meetings with mentees, for safeguarding purposes. This data is stored by the Mentor and accessed by Head Up! only in the event of safeguarding concerns being raised. Mentees and mentors must also copy in Head Up! Safeguarding on all their email exchanges.

Our lawful basis for processing is to raise and fulfil a contract. We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018). We will match Mentees and Mentors based on the personal data provided. However, any decision for matching will have the final sign-off by a Head Up! team member.

For the handling of data generated during a safeguarding report, please view the Child Protection / Vulnerable Adult Records Retention and Storage Policy in our Safeguarding policy document and in this document Section 4: Who can access your information and Section 5: Data sharing.

1.3 Content Contributors

We collect the following personal data when content contributors provide us with information for our knowledge bases, both online and in print:

  1. Contact details;
  2. Educational background data such as school, offers received and past degrees (if applicable);
  3. Any potential physical / mental health disabilities (which may be diagnosed or undiagnosed);
  4. University data such as university name, college, course;
  5. Experience data such as disability access experiences; and
  6. Photos and videos relating to university life.

Our lawful basis for processing is consent. We don’t require you to provide special category data (i.e. ethnicity), but if you do provide such data, you consent to our use of it for publishing both online and in print.

1.4 Donors

We collect the following personal data when donors make a contribution:

  1. Contact details;
  2. IP address;
  3. Country; and
  4. Donation amount.

Our lawful basis for processing is to raise and fulfil a contract. We will not contact you for the purposes of direct marketing without your explicit consent.

1.5 Team Members

We collect the following personal data when potential Team Members complete our Expression of Interest form:

  1. Full legal name (users who have a different preferred name may provide it if they choose, if given consent will be assumed on the same basis)
  2. Contact email
  3. Undergraduate/Graduate status
  4. DBS status
  5. University (including college).

Our lawful basis for processing is consent.

We collect the following personal data when potential Team Members send us an application for a volunteer or job opening:

  1. Contact details;
  2. Country;
  3. University (including college);
  4. DBS Status;
  5. CV; and
  6. Responses to interview questions.

Our lawful basis for processing is legitimate interests. We collect the following personal data when Team Members are on-boarded:

  1. Contact details;
  2. Date of birth; and
  3. University details;

Our lawful basis for processing is to raise and fulfil a contract. We process special category data, specifically ethnicity, for equality of opportunity in the public interest (Article 9(2)(g), Schedule 1 of the DPA 2018).

1.6 Visitors to our Site and social media pages

When you visit the Site, visit our social media pages or interact with the Services, we may use a variety of technologies that automatically or passively collect information about how the Site is used (“Usage data”).

We collect the following data when users visit our Site:

  1. IP address; and
  2. Usage data.

Usage data may include weblogs and other communication data, browser type, operating system, the page served, the duration of your visit, the time, referring URLs and other information normally transmitted in HTTP requests. Usage Data is statistical data about our users’ browsing actions and patterns and does not identify any individual. We will treat Usage data as personal data if we combine it with you as a specific and identifiable person.

Our lawful basis for processing is legitimate interests.

1.7 Further data collection

For all of the above groups, we may collect further data as required; this will be clearly and specifically communicated to the users involved when it occurs. With the exception of situations in which we have a legal requirement to share data with the relevant authorities (see Section 5: Data sharing), users retain their full and complete right to provide, modify, or refuse consent to the provision or sharing of this further information. Consent to this privacy policy does not imply consent to the sharing of further data.

 

2. Cookies and analytics

A cookie is a small file of letters and numbers that we put on your computer if you use the Site. By browsing the Site  you agree to having these cookies placed on your computer.  The cookies collect information in an anonymous form, including the number of visitors to a website, from where visitors to a website have come from and the pages visited.

 

3. Data processing

Your personal data has only been collected, utilised or shared by Head Up! if:

  1. You have consented to the processing;
  2. The processing is necessary for the performance of (or entering into) a contract;
  3. The processing is a result of an existing legal obligation to which we are subject;
  4. The processing is in your vital interests;
  5. The processing is in the public interest; or
  6. The processing is in our legitimate interests.

We use the information you provide to us to:

  1. Provide you with relevant information and services;
  2. Share information with mentors and the management team responsible for connecting you with that mentor;
  3. Ensure that content from the Site is presented in the most effective manner for you;
  4. Carry out our obligations arising from any contracts entered between you and us;
  5. Invite you and allow you to take part in special events that we host from time to time;
  6. Respond to communications from you;
  7. Ask for feedback from you to improve our Services;
  8. Analyse your activity on our Services to make improvements; and
  9. Ensure safeguarding procedures are met.

We will keep the personal data we store about you accurate and up to date. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.  We will not keep your personal data for longer than is necessary for the purpose. This means that data will be erased from our systems or anonymised when it is no longer required, unless we are bound by law to keep it for longer (in the case of safeguarding concerns).

Any email marketing messages we send are done so through our @head-up.org accounts. Any email marketing messages we send are in accordance with the GDPR and the PECR. We provide you with an easy method to withdraw your consent (unsubscribe) at any time. See any marketing messages for instructions on how to unsubscribe.

 

4. Who can access your personal information

All personal information supplied by users will be stored in electronic documents in the possession of the President (lead@head-up.org) and will be fully accessible to them at any time unless and until users request it to be deleted. ‘Sensitive Personal Information’ refers to any details provided about Mentors or Mentees which may be considered confidential or private or which could harm the user should it be publicly available. In this context it may consist of details of a user’s disability or condition, contact information, date of birth of mentees aged under 18, legal name of users who have stated a different preferred name. Sensitive personal information will only be visible to the Head Up! President and members of the committee to whom the user has given specific consent. This information will only be used when reasonably necessary and users will be informed and asked for consent before it is shared.

Non-sensitive personal information may also be accessed by other members of the committee who will be given specific limited access to the private file when necessary. Head Up! reserves the right to sharing of non-sensitive personal data among the committee at any time as far as is necessary for the operation of the scheme without obtaining specific further consent from the user. We also reserve the right to the sharing of non-sensitive data among the committee for the purposes of research and managing complaints made to us. Anonymised data may be shared with the Charity Commission or donors for regulatory, publicity and fundraising purposes.

Contact details for Mentees will be shared with their mentors on an individual basis and vice versa for the purpose of mentoring under the scheme. Users may also choose to share whatever personal information they like with their Mentor/Mentee once they have been assigned – Head Up! does not accept responsibility for the content of any such communications or disclosure of personal information which may occur as a result.

No personal information or information about a Mentee’s involvement in the scheme will be shared with the Mentee’s parents/guardians/nominated authority contacts unless required by law.

Our normal legal basis for processing personal information is users’ consent, which users give at the point of completing the sign-up process as a mentor or mentee and which they can withdraw at any time by notifying the committee.

 

5. Data sharing

We will not share your information with any third parties for the purposes of direct marketing.

In some circumstances we are legally obliged to share information. For example, when we are involved in legal proceedings such as a safeguarding incident, or when we are complying with the requirements of legislation, a court order, or a governmental or regulatory authority like the Charity Commission.

If we share your data with a third party, we will have regard to the six  data protection principles.

We may disclose your personal information to third parties:

  1. If we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request.
  2. To enforce a contract entered into between you and us.
  3. To investigate potential breaches.
  4. To protect the rights, property or safety of our Mentees, Mentors or anyone else. This includes exchanging information with other organisations for the purposes of fraud protection, the checking of criminal records and other references.

For the handling of data generated during a safeguarding report, please view the Child Protection / Vulnerable Adult Records Retention and Storage Policy in our Safeguarding Policy document.

Where we are required to share information, every effort will be made to notify and gain consent from the parties involved, where feasible and appropriate. However, if notification or gaining consent is not appropriate due to a child, young person or vulnerable adult being at immediate risk of harm, or if notification or gaining consent may put them at risk of harm, this will be documented and records will be shared in the best interest of those involved. Head Up! will not be liable for any results of any such disclosure or for failure to inform users if it is not feasible or appropriate to do so.

Currently, we share information with the following organisations, who operate under their own privacy policies referenced below.

  1. wordpress.com for the purpose of hosting our website. Privacy policy here.
  2. dreamhost.com for the purpose of hosting our website. Privacy policy here.
  3. zoho.com for the purpose of hosting our email servers. Privacy policy here.
  4. google.com for the purpose of storing our data, including recordings of mentoring sessions. Privacy policy here.
  5. zoom.com for the purpose of hosting our mentoring sessions. Privacy policy here.

 

6. Aggregated and anonymised data

We may combine your Usage Data and/or your personal data with those of other users of the Services and the Site and share or provide this trend information in aggregated and anonymised form with third parties, such as potential donors. This will only ever be anonymised data, and will never be capable of personally identifying an individual, and will only be shared in accordance with applicable law. For example, we may anonymise your personal information and use it in aggregated form in order to report on higher education access data for those with disabilities.

 

7. Data security

We will take appropriate steps to ensure that the processing of personal data is lawful or authorised, and to prevent the accidental loss, or damage to, personal data. We continuously strive, in accordance with industry standards, to have in place procedures and technologies to maintain the security of all personal data and confidential data from the point of collection to the point of destruction.

We will only transfer personal data to third parties where they agree to comply with similar procedures and policies or have in place adequate measures. An adequate measure would be a privacy shield certification, a Data Processing Agreement or a contract based on the UK Model Clauses.

To protect your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected through our Services. Steps we take to secure and protect your data include:

  1. Regular backups of your data including retention policies;
  2. Mailbox and data access auditing;
  3. Full SSL (https) connection to our Site;
  4. User-level authentication to personal data;
  5. Data loss prevention policies; and
  6. Personal data is stored at rest in an encrypted format so is non-human readable.

Please remember that the transmission of information via the internet is not completely secure. We will do our best to protect your information, but we cannot guarantee the security of your data transmitted to our Site. Any transmission is at your own risk. Once we have received your information, we will use security features to try to prevent unauthorised and unlawful access. If a security breach causes an unauthorised intrusion into our system that materially or non-materially provides a risk to you, we will notify you as soon as possible and later report the action we took in response to any breach. Head Up! accepts no liability for data breaches stemming from faults in Google, WordPress, ZohoMail, or DreamHost IT services.

 

8. Data retention

We will not retain your personal data longer than is necessary to fulfil the purposes for which it was collected. However, we may be required by applicable laws and/or regulations to hold your personal data longer than this period (such as in the case of a safeguarding concern). If no contradicting legal obligation exists, we reserve the right to delete Mentor or Mentee profiles that have been inactive for at least 36 months or when you request that your personal data be erased and no longer processed by us. Additionally, where there is a contradicting statutory obligation for us to retain your personal data, we will restrict/block further processing and then erase the relevant personal data when we no longer have a requirement to retain it.

 

9. Rights

You have:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object; and
  8. Rights in relation to automated decision making and profiling.

Please note that all these rights are qualified in various ways.  For example, where we store your personal data for statistical purposes, we may not be able to comply with an erasure request where it would likely impair such statistical purposes or where we require your personal data for compliance with a legal obligation or in connection with legal proceedings.

You may contact our Data Protection Lead about all issues related to this Policy, your personal data and to exercise your rights under Data Protection laws. You must make the request in writing specifying the nature of your request. All such written requests should be sent to lead@head-up.org.

You can exercise your rights to erasure at any time by contacting us at lead@head-up.org. We will however have to retain your name so that we can record the fact that you do not want us to retain information about you.

If you feel that the processing of your personal data is not in line with our data protection obligations, you can complain to our lead data protection supervisory authority:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

K9 5AF

Phone: 0303 123 1113

Website: https://ico.org.uk/

 

10. Third party websites

The Site may contain links to and from the websites of our partner networks, advertisers and affiliates or other third parties and the Services may appear on third party websites and online media. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we cannot and do not accept any responsibility or liability for these policies. Please check these policies carefully before you submit any personal data to these websites.

 

11. Changes to our Policy

We may change this Policy from time to time, in whole or part, at our sole discretion. We encourage you to check our website to view the most recent version of this Policy. You may also request a copy of the most recent version of this Policy by contacting us. If, at any time, we decide to use your personal data for a purpose that is different from the original purpose of collecting your personal data, we will contact you regarding this change. At the time of publication Head Up! undertakes that this statement is accurate to our reasonable knowledge.

 

Last update: 3 November 2024

Remember:  you can always get in touch! We really do welcome any questions, comments and requests you may have regarding this Policy. You can contact us by emailing lead@head-up.org

About Us

The general aim and objective of Head Up! is to promote the interests of young people with disabilities, physical and/or mental health conditions, specific learning difficulties and neurodivergence; offering them practical advice and support concerning their education and welfare.