Altitude Foundation

Privacy Notice

Introduction

Altitude Foundation has a responsibility under data protection legislation to provide individuals with information about how we process their personal data.

To ensure that we process your personal data fairly and lawfully, we are required to inform you:

  • Why we collect your data;
  • How it will be used;
  • Who it will be shared with.

Data Controller

The Data Controller is Altitude Foundation. We process your data in line with the requirements of the EU General Data Protection Regulation (GDPR), specifically as expressed in the Data Protection Act (2018), and this Privacy Notice.

As the Data Controller, the Foundation decides how your personal data is processed and for what purposes. We may change this Notice from time to time, in order to accurately reflect changes to our operation. Any such changes will be published on our website. Notwithstanding any change to this policy, we will continue to process your data in accordance with your rights and our obligations in law.

Data Protection Officer

The Foundation is not obligated under law to appoint a designated Data Protection Officer, However, the responsible stewardship of your personal data is of paramount importance to us, and therefore we have followed best practice and appointed a designated member of staff to oversee compliance and champion data protection within the organisation.

Colin Ferguson, the General Manager, is the Foundation’s appointed Data Protection Officer. If you have any questions about this privacy notice or how we handle your personal information, please contact us by email at ​ privacy@altitudefoundation.org​.

Your Rights

By law, the personal data we hold about you must be:

  1. Used lawfully, fairly and in a transparent way;
  2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
  3. Relevant to the purposes we have told you about and limited only to those purposes;
  4. Accurate and kept up to date;
  5. Kept only as long as necessary for the purposes we have told you about;
  6. Kept securely.

You have the right to be provided with information about how and why we process your data. Where you have the choice to determine how your personal data will be used, we will ask for your consent. Where you do not have a choice (for example, where we could not facilitate your involvement in our programme without processing your data), we will provide you with a privacy notice (this document).

You have the right to withdraw your consent for data processing at any time. ​Where this will have an impact on the service we provide, this will be explained to you, so that you can determine whether it is the right decision for you.

You have the right to be told whether we are processing your personal data and, if so, to be given a copy of it. You can make a subject access request by emailing the Data Protection Officer, above.

You have the right to request rectification of any incorrect data we hold about you. If you believe that any data we hold about you is inaccurate, please contact us and we will investigate. We can also correct any incomplete data.

You have the right to request that we erase your personal data. ​This can apply in the following circumstances:

  • We no longer need the personal data for the purpose it was originally collected;
  • You withdraw your consent and there is no other legal basis for the processing;
  • You object to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data have been unlawfully processed;
  • The personal data have to be erased for compliance with a legal obligation.

You have the right to request that we restrict the processing of your personal data. This can apply in the following circumstances:

  • You believe that the data are inaccurate and you want us to restrict processing until we determine whether it is;
  • The processing is unlawful and you want us to restrict processing rather than erase it;
  • We no longer need the data for the purpose we originally collected it, but you need it in order to establish, exercise or defend a legal claim;
  • You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Types of Personal Data Collected and Held

The types of data we may gather relating to applicants and participants may include the following:

  • Name
  • Address
  • Date of Birth
  • Contact Details (including phone numbers and email addresses)
  • School Details
  • Equality Monitoring Data (including gender, nationality and ethnicity)
  • Medical Data (including support needs and dietary preferences)

The types of data we may gather relating to parents and carers may include the following:

  • Name
  • Address
  • Contact Details (including phone numbers and email addresses)

The types of data we may gather relating to teachers and other professionals may include the following:

  • Name
  • Employer
  • Employer’s Address
  • Professional Contact Details (including phone numbers and email addresses)

We will also gather these employee data:

  • Name
  • Address
  • Contact Details (including phone numbers and email addresses)
  • Next of Kin Details
  • CVs
  • References

Please note that these are illustrative but non-exhaustive lists.

Lawful Basis

Personal data will only be processed when the law permits this to happen. Most commonly, personal data will be processed in the following circumstances:

  • Where Altitude Foundation has a legitimate interest to process data;
  • Where you have given us your consent;
  • In order to fulfil the requirements of our application process, or to satisfy a contract or agreement we have entered into with you;
  • Where we need to comply with a legal obligation;
  • To protect your vital interests or those of another person.

Where we process special category sensitive data, we process data on one or more of the following bases:

  • Explicit consent has been given by you;
  • It is necessary for the Foundation to carry out its obligations under employment, security or social protection law;
  • Processing is necessary to protect your vital interests or those of another person.

How Personal Data are Stored and Processed

All personal data are processed and stored on the Foundation’s administrative systems. These are principally cloud based, provided by Google through its G-Suite software solution. Through cutting-edge cloud security, all of the charity’s electronic data are held safely and processed in a secure IT environment. Access to these data is strictly limited to staff, trustees and selected volunteers on a strictly need-to-know basis.

Who Personal Data are Shared With

Your data will not normally be shared outside of the Foundation, except where required to do so by law, to protect vital interests, or with trusted third parties in order to deliver the service we have agreed to provide to you. We will only do so when we are satisfied that any such use of data will accord with this notice.

For the duration of participants’ involvement in the programme, data may be shared in order to facilitate medical or other support. Participants will be asked for consent to share any data with an external agency if the purpose is to secure non-urgent support. If there is an urgent need for help, the Foundation may need to act without consent in order to protect your vital interests.

How Long Personal Data are Held

Personal data is kept, deleted or anonymised in line with the following schedules:

  • Unsuccessful applicants’ data are held for one year after application decisions have communicated;
  • Successful applicants’ data become participant data, and are held for the duration of a participant’s involvement in the programme, plus three years;
  • Parents’ and carers’ data are held either in line with unsuccessful applicants’ data, or for the duration of a participant’s involvement in the programme, plus one year;
  • Teachers’ data are held for the duration of a participant’s involvement in the programme;
  • Employee data are held for the duration of employment, plus five years.

Further Information

Legitimate Interests Assessment

Identification

Altitude Foundation processes data relating to programme participants in order to deliver the programme. Processing data allows the Foundation to communicate with participants, to arrange appropriate activity and ensure sufficient support is in place to enable participants to receive maximum benefit from the programme.

The Foundation also uses personal data to evaluate the programme, ensuring that future participants can benefit from the most cost effective and impactful interventions it is possible for the charity to provide.

Necessity Test

If the Foundation did not process participants’ personal data in the ways described in this Privacy Notice, then a spectrum of impact directly affecting participants would occur:

  • In the best case scenario, activity would be significantly curtailed and participants would experience a considerably reduced, and less impactful, programme;
  • In the worst case scenario, it would not be possible to run the programme in any form.

The personal data to be collected are the minimum necessary to organise the programme and evaluate it effectively, in the best interests of the participants themselves. Any personal data collected for which the participant can exercise their right to consent to processing, without significant detriment to the running of the programme, will be only be processed with consent.

Balancing Test

The Foundation will gather sensitive category personal data. However, this will only ever be used for monitoring purposes, and in this context will only be evaluated and published in anonymised or aggregated formats. Non-sensitive personal data may be used for evaluation or marketing/reporting, but in this context, consent will always be sought in advance.

We sincerely believe that participants will expect us to process their personal data, in their best interests, to deliver a programme. We will always be clear, transparent and upfront about how we use personal data, and will never use data for any other purpose than for the best interests of the participants.