1.1
This Privacy Notice explains how The CyberHub Trust use any personal information that it may collect about you. It is committed to ensuring that your privacy is protected in accordance with the law, and all personal data shall be held and used in accordance with the UK laws relating to data protection and privacy.1.2
This policy, together with our Terms of Use, sets out the basis on which any personal data the Trust collects from you, or that you provide to it, will be processed. We do update this policy from time to time so please do review this policy regularly.1.3
It is important that you read this privacy notice together with any other privacy notice or fair processing notice the Trust may provide on specific occasions when it is collecting or processing personal data about you so that you are fully aware of how and why it is using your personal data. This privacy notice supplements those other notices and is not intended to override them.
2.1
Personal data means any information about an individual from which that person can be identified. The Trust may collect, use, store and transfer different kinds of personal data about you which has been grouped together as follows:2.1.1
Identity Data includes first name, maiden name, last name, marital status, title, date of birth and gender2.1.2
Contact Data includes address (home, postal or other physical address), email address and telephone numbers2.1.3
Usage Data includes information about how you use the Trust’s services2.1.4
Information relating to charitable donations, sponsorship and grants
2.2
Personal data does not include data where your identity has been removed or which is not associated with or linked to your personal data (anonymous data)2.3
The Trust may also collect, use and share Aggregated Data such as statistical or demographic data for research purposes. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.2.4
Where the Trust needs to collect personal data by law, or under the terms of a contract — and you fail to provide that data when requested, the Trust may not be able to perform the contract it has or is trying to enter into with you. In this case, the Trust may have to cancel a service you have requested. In that event, the Trust will notify at the time.
3.1
The Trust will only collect data from and about you through direct interactions. You may provide your Identity, Contact and Financial Data by filling in forms or by corresponding with the Trust by post, phone, email, via the website or otherwise, or when you enter into a contract with the Trust for the provision of services.
3.2
This includes the following interactions:3.2.1
When you agree to become a Partner or a Sponsor, data you provide to the Trust is added to the database3.2.2
When you contact the Trust regarding an application as a college, student or apprentice, data you provide to the Trust is added to the database3.2.3
When you make any enquiry about The CyberHub Trust and give permission to be added to the database, your data is added3.2
Personal data does not include data where your identity has been removed or which is not associated with or linked to your personal data (anonymous data)3.3
The Trust will also ask you from time to time to update your contact details, communication preferences, location, and interests.
4.1
The Trust will only use your personal data when the law allows it to. The Trust may collect and process the personal data about you for the following purposes:4.1.1
Requesting The CyberHub Trust services — it can/will use your Identity, Contact and Transaction Data in order to register you and to process and deliver services, including the management of grants, sponsorships or payments. This is necessary for the purpose of contracting with you.4.1.2
Contacting the Trust — when you contact it with an enquiry or to request information (including leaflets and other hard copy materials), the Trust will use your Identity and Contact Data to respond to you.4.1.3
Advertising, Marketing and Public Relations:4.1.3.1
The Trust may use the Identity, Contact, and/or Usage Data of its sponsors, partners, colleges and/or students — to form a view on what they may want or need, or what may be of interest to them.4.1.3.2
In doing so the Trust will only send information that is deemed relevant to their use of CyberHub services. This is necessary for the Trust’s legitimate interests in growing and developing the services offered.4.1.3.3
Sponsors, partners, colleges and/or students will receive marketing communications from the Trust if they have requested information or purchased services and, in each case, have not opted-out of receiving that marketing.4.1.3.4
The Trust will not share personal data with any third party for marketing purposes. You can ask the Trust to stop sending marketing communications at any time by contacting it.4.1.3.5
The Trust will use your Identity and Contact data for the purposes of communicating information about relevant cybersecurity and/or Trust processes, information about support services, sending newsletters, promoting benefits and services and notification of events. Also facilitating the establishment of networking groups, fundraising requests, volunteering opportunities and work placements.4.1.4
Surveys — If you choose to complete a survey that the Trust uses for research purposes it will retain the information that you provide in response to that survey. This is necessary for the Trust’s legitimate interest in understanding its sponsors, partners, colleges and/or students, developing The CyberHub Trust and to informing its marketing strategy.4.1.5
Information to Sponsors about the progress of The CyberHub Trust, specifically in relation to their funding/sponsorship.4.1.6
Administration — the Trust may use your Identity and Contact Data for the purpose of protecting its business and website, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. This is necessary for the Trust’s legitimate interest in running its business, the provision of administration and IT services, networks and cybersecurity, to prevent fraud and for compliance with its legal obligations.4.1.7
Website Analytics — as you navigate the website, Usage Data may be collected automatically. This is done to find out things such as the number of visitors to the various parts of the website, and to help to improve the content of the website and to customise the content or layout of the website for you, in accordance with the Trust’s legitimate interests. This is necessary for the Trust’s legitimate interest in defining types of sponsors, partners, colleges and students — for the Trust’s services, to keep its website updated and relevant, to develop the Trust and to inform its marketing strategy.4.1.8
Fault reporting — if you contact the Trust to report a fault with the website, it will use the Identity and Contact Data provided for the purposes of rectifying that fault in accordance with the Trust’s legitimate interests.4.1.9
Recruitment — personal data provided for an employment opportunity will be processed so as to allow the Trust to process and evaluate the merits of that application in accordance with its legitimate interests.4.2
The Trust may also use personal data which you provide, where the law allows it to do so, as follows:4.2.1
To deal with and/or respond to any enquiry or request made by you prior to entering into any contract or agreement with the Trust or as a result of such contract or agreement.4.2.2
Where the Trust needs to perform the terms of the contract it is about to enter into, or has entered into with you.4.2.3
Where the Trust needs to comply with a legal or regulatory obligation, including the prevention of crime.4.2.4
Where it is necessary for the Trust’s legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.4.3
The Trust does not generally rely on consent as the legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting the Trust.4.4
Where The Trust processes personal data on the basis of a legitimate interest, as set out in this privacy notice, legitimate interest means the interest of the Trust in conducting and managing its business to enable it to give you the best service and the best and most secure experience.4.5
The Trust will make sure that it considers and balances any potential impact on you (both positive and negative) and your rights before it processes your personal data for legitimate interests. It does not use your personal data for activities where the Trust’s interests are overridden by the impact on you (unless it has your consent or is otherwise required or permitted to by law). You can obtain further information about how the Trust assesses its legitimate interests against any potential impact on you in respect of specific activities by contacting The CyberHub Trust.4.6
The Trust will only use your personal data for the purposes for which it is collected, unless it reasonably considers that the Trust needs to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact The CyberHub Trust. If the Trust needs to use your personal data for an unrelated purpose, it will notify you and explain the legal basis which allows it to do so.4.7
Please note that the Trust may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.4.8
The Trust complies with the seven principles of GDPR, set out below, taken from the ICO website.Personal data shall be:
4.8.1
processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)4.8.2
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)4.8.3
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)4.8.4
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)4.8.5
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)4.8.6
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).4.8.7
held with appropriate measures and records in place to be able to demonstrate compliance (‘accountability’).
5.1
Your personal data will only be disclosed to those CyberHub Trust employees or workers that have a need for such access for the purpose for which it was collected. Your personal data will not be disclosed to any other individuals or other entities except in the following circumstances:5.1.1
On occasion, the Trust needs to hire other companies to help it to serve you better and in some of these cases the Trust may need to share personal data that is necessary to perform tasks, such as market research or issuing marketing materials. These third parties may be printers, couriers, researchers engaged to carry out research, for example.5.1.2
Where it is necessary for the performance of the Trust’s contract with you, including where you have asked it to do so, or where the Trust needs to take steps to enforce any contract which may be entered into between it and you.5.1.3
Where the Trust is under a legal duty to do so in order to comply with any legal obligation.5.1.4
In order to protect the rights, property or safety of the Trust, its employees and others. This includes exchanging information with other companies and organisations for the purposes of cyber-crime, fraud prevention and credit risk reduction.5.1.5
If the Trust, or substantially all its assets are acquired by a third party, in which case personal data that it holds about its customers will be one of the transferred assets.5.2
The Trust requires all third parties that process personal data on its behalf to respect the security of your personal data and to treat it in accordance with the law. The Trust does not allow its third-party service providers to use your personal data for their own purposes and only permits them to process your personal data for specified purposes and in accordance with the Trust’s instructions.
6.1
The CyberHub Trust is committed to ensuring that your personal data is secure. To prevent unauthorised access or disclosure, the Trust has put in place suitable physical, electronic and managerial procedures to safeguard and secure the personal data it collects.6.2
In addition, the access to and use of the personal data that it collects is restricted to CyberHub Trust employees who need the personal data to perform a specific job role or activity. Where personal data is shared with third-parties, responsible measures are used to protect your personal data.6.3
The Trust has put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where it is legally required to do so.6.4
The transmission of information via the internet is not completely secure. Although the Trust will do its best to protect your personal data, it cannot guarantee the security of your data transmitted to the Trust’s website; any transmission is at your own risk. Once the Trust has received your personal data, it will use strict procedures and security features to try to prevent unauthorised access.6.5
The CyberHub Trust urges you to take every precaution to protect your personal data when you are on the internet.
7.1
The CyberHub Trust will not transfer personal data outside of the United Kingdom without the express prior consent of the sponsor, partner, college or student.
8.1
The Trust will only retain your personal data for as long as necessary to fulfil the purposes it collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.8.2
To determine the appropriate retention period for personal data, the Trust has considered the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which the Trust processed your personal data and whether it can achieve those purposes through other means, as well as the applicable legal requirements.8.3
In some circumstances the Trust may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case it may use this information indefinitely without further notice to you.
9.1
You have the right to:9.1.1
Request access to your personal data (commonly known as a “Data Subject Access Request"). This enables you to receive a copy of the personal data that the Trust holds about you and to check that it is lawfully processing it.9.1.2
Request correction of the personal data that the Trust holds about you. This enables you to have any incomplete or inaccurate data that the Trust holds about you corrected, though it may need to verify the accuracy of the new data you provide.9.1.3
Request erasure of your personal data. This enables you to ask the Trust to delete or remove personal data where there is no good reason for the Trust to continue to process it.9.1.4
Ask the Trust to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where the Trust may have processed your personal data unlawfully or where the Trust is required to erase your personal data to comply with local law. Please note, however, that the Trust may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.9.1.5
Object to processing of your personal data where the Trust is relying on a legitimate interest (or those of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.9.1.6
Object where the Trust is processing your personal data for direct marketing purposes. In some cases, the Trust may demonstrate that it has compelling legitimate grounds to process your personal data which override your rights and freedoms.9.1.7
Request restriction of processing of your personal data. This enables you to ask the Trust to suspend the processing of your personal data in the following scenarios:a.
if you want it to establish the data’s accuracyb.
where the Trust’s use of the data is unlawful, but you do not want it to be erasedc.
where you need the Trust to hold the data even if it is no longer required as you need it to establish, exercise or defend legal claims; ord.
you have objected to the Trust’s use of your data, but it needs to verify whether it has overriding legitimate grounds to use it.9.1.8
Request the transfer of your personal data to you or to a third party. The Trust will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for the Trust to use, or where it used the information to perform a contract with you.9.1.9
Withdraw consent at any time where the Trust is relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, the Trust may not be able to provide certain products or services to you. It will advise you if this is the case at the time you withdraw your consent.9.1.10
You can ask the Trust to stop sending you marketing messages at any time by following the “Unsubscribe” (or similar) links on any marketing message sent to you or by contacting the Trust at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to the Trust as a result of a purchase, product/service experience or other transactions.
10.1
The CyberHub Trust website may contain links to other websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. The Trust does not control third-party websites and is not responsible for their privacy statements or for the content, accuracy or opinions express in such websites.10.2
The Trust does not investigate, monitor or check third-party websites for accuracy or completeness and the inclusion of any linked website on or through The CyberHub Trust website does not imply its approval or endorsement of the linked website.10.3
If you decide to leave this website and access these third-party websites, plug-ins and/or applications you do so at your own risk. The Trust encourages you to read the privacy notice of every website you visit.
11.1
This version was last updated in July 2020.11.2
It is important that the personal data which The CyberHub Trust holds about you is accurate and current. Please keep the Trust informed if your personal data changes during your relationship with the Trust.
12.1
Questions, comments or requests about your personal data can be sent to:Name: Julia von Klonowski
Address: 26 Queen Victoria Street, Reading, RG1 1TG, United Kingdom
Email: enquiries@cyberhub.org.uk
13.1
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (https://www.ico.org.uk), however The CyberHub Trust would appreciate the chance to deal with your concerns before you approach the ICO.