Last updated: 19 December 2019
This policy applies to the personal information you give us or which we receive.
Please read this policy carefully.
What information do we collect about you?
Much of the information we hold will have been provided by you, but some information may also come from external agencies, intermediaries or others who have referred you to us for assistance, or from previous employers if you are applying for a job, and we may source some data from publicly available sources.
We collect, store and process personal data about you, for example your name, job title, email address and telephone number, as well as details about your business, for example company size, turnover, sector and growth plans.
We may collect and use the following information about you:
- Information which you give us as our customer – for example when we advise you, when you attend an event, when you sign up to one of our services, or when you contact us by telephone or we call you. Please note that calls may be recorded for training and quality assurance purposes;
- Information that you provide on any application form, claim and follow-up forms for funding in relation to a project, which may include baseline and impact data;
- Information which you give us when you apply for funding – which might be for a project or for your organisation;
- Information we receive from external agencies, intermediaries or others who have referred you to UMi for assistance; and
- Information that you give us when you apply for a job.
Why do we need the information?
We use your information to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately.
The information will be used to deliver business services to you and manage contracts as follows:
- To help your business. We will use it to check your eligibility and, where applicable, provide business support services and to advise you on your business;
- To deliver services to you that you have signed up for;
- To process your application for funding. If your application is successful, we will produce a funding agreement and administer the funding;
- We will also use the information for audit and management information purposes, to report to our Funders and to produce statistics and to promote the success of the project;
- To share with other delegates, buyers and suppliers, with your permission, at certain events;
- To process job applications and manage any subsequent contracts of employment;
- To manage relationships with our suppliers, contractors and associates; and
- To notify you about changes to our services.
We also use your information for the following legitimate business reasons:
- To measure the quality of our services and improve them; for example, through customer satisfaction, monitoring and evaluation of our services – we may use a third party to carry this out on our behalf;
- To help us service customers' needs more effectively and to develop and maintain meaningful relationships, recognising the different ways in which we have interacted with you and the range of services you have received;
- To send you updates about the service you have registered for and to let you know about other business support opportunities, services and events from UMi, but only where we feel these will be of interest to you or your business;
- To deliver a better, more personalised service and content based on your use of our websites;
- To grow our business and contact new prospects about relevant business services that we offer;
- To better understand the local business market and analyse our impact on the wider economy;
- To ensure funding goes to the right businesses for the right purposes;
- To ensure we meet our targets and other contractual commitments; and
- To prevent and detect fraud and irregularity.
You may be able to object to these uses by contacting us.
Where do we store your information?
We store information both electronically and in paper files.
Electronic data will be securely transferred to, and stored within, the EEA or with a compliant Non-EEA based supplier. In circumstances where we transfer data to countries outside the EEA we ensure the supplier complies with European data protection law and that your information is protected, for example by the EU-US Privacy Shield framework.
Some of our staff may access your information from outside the EEA, for example using a laptop or handheld device.
IT suppliers outside the EEA, like Oracle, may also have incidental access to your information for the purpose of providing IT support.
We use PayPal for online payments for events. Please note that we do not store credit card details nor do we share financial details with any 3rd parties.
How long will we hold your information?
We will store your information securely at least for the duration of any customer relationship we have with you, or as otherwise required by our Funders, which in some cases could be for two years after the closure of the 2014-20 ERDF programme (which could be until 2033).
If you apply for a job and are unsuccessful, we will retain your details for 6 months.
Who else will receive the information?
We may disclose your information to the following types of organisation:
(1) Funders, auditors, advisers and authorities
Our services are funded by a number of external organisations (Funders). Your Information may be passed to those Funders, their auditors and advisers for their own purposes such as:
- Audit and monitoring;
- Detection and prevention of fraud and irregularity;
- Documentary evidence of funding;
- Production of case studies and demonstration of best practice; and
- Sending you further information which may be of interest to you
Our Funders may be required to disclose information about you or your business in response to a request under the Freedom of Information Act 2000, unless an exemption applies. Although companies in UMi are not subject to the Freedom of Information Act 2000, we may be asked to assist Funders with requests that they receive.
We may share your information with our advisers so we can take advice, or with our own auditors for auditing purposes. We will disclose your information to regulatory or enforcement authorities if asked to do so, or to a third party in the context of actual or threatened legal proceedings.
As well as the employees, officers, auditors and other agents of UMi, the Secretaries of State, the European Commission, the European Court of Auditors, the National Audit Office, (and any successor to any of the foregoing bodies) may examine, audit or copy the information contained in any document or record (whether paper or electronic) relating to the services provided to you.
(2) Other business support organisations
We will share management information and statistics with other business support organisations in the UK for the purpose of improving business support services, but not in a way that identifies individuals.
We may also need to share your information, both core details about you and your business and details of our interactions with you, with other business support organisations involved in your project, to improve the quality of business support given to customers. We will discuss this with you at the time. We will only share your information if you want to receive these additional services from other organisations.
(3) Organisations referring customers to UMi
We will usually share your information, both core details and details of our interactions with you, with any organisation which referred you to us, so they know the outcome of the referral.
(4) UMi companies
We will share your information within our business, which means the ultimate holding company, its subsidiaries and their subsidiaries, as defined in section 1159 of the Companies Act 2006. The companies within our business will use your information to provide business support services to you and, if you’ve asked to be on our mailing lists, to send you further information which may be of interest to you.
We may allow third party providers and contractors who supply services to us or who process information on our behalf incidental access to your information. We will ensure that we have appropriate contracts in place and that they keep your information secure and do not use it for their own purposes.
We may share your information with another organisation which buys one or more of the companies within our business or our assets or to whom we transfer our agreement with you and in the course of any negotiations which may or may not lead to such a transfer or sale.
How do we safeguard your information?
We will keep your information secure by taking appropriate technical and organisational measures against the unauthorised or unlawful processing of that information and against its accidental loss, destruction or damage.
What are your rights?
Subject to certain conditions, you have the following rights in relation to the personal data that we hold about you:
- to obtain a copy of your personal data;
- to restrict or object to our use of your personal data;
- to ask us to delete or correct your personal data;
- where you have provided consent, to withdraw it;
- to transfer your personal data to another data controller; and
- to make a complaint to the Information Commissioner’s Office (ICO) if you think we are not handling your personal data fairly or in accordance with the law.
Please also let us know (using our contact details below) if there are any changes to your information, or if you notice any mistakes in the information that we hold about you as this helps us to keep it up to date and reliable. We may contact you from time to time to check whether the information we have on you is still accurate and up to date.
You can also contact us if you want to be added to, or removed from, our mailing lists.
Data Protection Officer
Spectrum Business Park
We use traffic analytics cookies to identify which pages are being used. This helps us analyse data about web traffic and improve our website in order to tailor it to our customer needs.
Using cookies helps us create better websites, providing customers with a better browsing experience. Cookies do not allow us to access your computer or any information in any way, other than the data you choose to share with us.
- Where we use Google Analytics, it is one of the most widespread and trusted analytics solution on the web for helping us to understand how you use the site and ways that we can improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit so we can continue to produce engaging content. For more information on Google Analytics cookies, see the official Google Analytics page.
- We may use other third party analytics to track and measure website usage so that we can continue to produce engaging and relevant content. These cookies may track things such as your IP address, how long you spend on the site or pages you visit which helps us to understand who you are, what we can offer you and how we can improve the site for you.
- From time to time we test new features and make subtle changes to the way that the site is delivered. When we are still testing new features these cookies may be used to ensure that you receive a consistent experience whilst on the site whilst ensuring we understand which optimisations our users appreciate the most.
- As we sometimes sell products it's important for us to understand statistics about how many of the visitors to our site actually make a purchase and as such this is the kind of data that these cookies will track. This is important to you as it means that we can accurately make business predictions that allow us to monitor our advertising and product costs to ensure the best possible price.
- The Google AdSense service we sometimes use to serve advertising uses a cookie to serve more relevant ads across the web and limit the number of times that a given ad is shown to you.
- For more information on Google AdSense see the official Google AdSense privacy FAQ.
- We also use social media buttons, tracking and/or plugins on this site that connect with your social network in various ways. For these to work the following social media sites including; Facebook, Twitter, LinkedIn, Instagram, YouTube, will set cookies through our site which may be used to enhance your profile on their site or contribute to the data they hold for various purposes outlined in their respective privacy policies.
- Further tracking will be done via umi_tc and we track page views and clicks with a __umit.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
Data Protection Policy: UMi
UMi Holdings Limited’s Data Protection Policy applies to all contracts delivered by or connected to all businesses under and/or alongside the above named entity, and to all staff to ensure compliance with the Data Protection Act 1998 (DPA), The General Data Protection Act 2018 (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
This policy is a statement of the measures and policies which the businesses have adopted to ensure that they comply with the requirements of the GDPR and other related legislation. The purpose of data protection legislation is to ensure that personal information (PI) are not processed without the knowledge and (except in certain cases) the consent of that individual, the ‘data subject’, to ensure that personal Information that are processed are accurate, and to define and enforce a set of standards for the processing of such information.
This policy is intended to ensure that personal information will be dealt with properly and securely and in accordance with the DPA. It applies regardless of the way the information is used, recorded and stored and whether it is held in paper files or electronically.
The Act covers:-
- Data held in both manual and electronic files. Compliance with the 1998 Act is the responsibility of all UMi staff processing personal data on behalf of UMi. Whilst contractors processing personal data on behalf of UMi are not directly covered by the policy, it must be made clear to them that they are obliged to adhere to the eight data protection principles, as are any sub-contractors whom they may choose to employ. A data protection statement to this effect must be included in any contract.
- Personal data. This is information about you. It can be your name, address or phone number. It can also be the type of job that you do, things you buy or where you went to school. It is data that can identify you as an individual.
- Sensitive personal data. This is information about an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life, alleged criminal activity and court proceedings.
All UMi companies will operate in line with this Data Protection Policy. The following companies are registered data controllers:
UMi Holdings Limited
UMi Commercial Limited
UMi Investment Limited
UMi Scotland Limited
General Partner UMi Scotland Limited
Although, legally, the DPA does not apply to non-personal data, we apply the same good practice principles to all our data handling and staff should ensure that they treat all data in the same way as that of individuals, and follow the same data handling procedures.
This policy should be read in conjunction with the following related documentation:
- ICT and Business Systems Security policy
- Document retention policy
Uses of personal data
UMi needs to collect and retain certain information relating to users of its services and some of this will be personal data, relating to individuals, sole traders or partnerships. The information enables us to monitor and record assistance delivered to customers. Unless we specifically state otherwise, this customer information will only be used for legitimate, specified and lawful purposes, for example, including delivery of our services, marketing, monitoring customer satisfaction and performing analysis of the data in a non-attributable way. These uses are those which any customer, from whom we have requested personal data, might reasonably expect. We will explain our uses when data is collected and provide the opportunity for individuals to object.
Any additional purposes, for which the data are being processed, for instance passing the data to a funding body, must be explained to the data subject at the time of collection. This may be done via various documentation, such as registration forms or contracts, as well as UMi privacy statement. Marketing permissions will also be obtained and recorded on the CRM.
UMi also needs to process information about its employees, suppliers and contractors so that staff can be paid, records maintained, and the requirements of government and funding bodies satisfied. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
UMi will not collect any data which is unnecessary or excessive in relation to the purposes it has explained above.
In relation to the above, the company must comply with the eight Data Protection Principles which are set out in the Data Protection Act 1998. In summary these state that Personal Data shall be:
- Fairly and lawfully processed
- Processed for specified purposes
- Adequate, relevant & not excessive
- Accurate and (where necessary) kept up-to-date
- Not kept for longer than necessary
- Processed in line with the rights of the individual
- Kept secure
- Not transferred outside the European Economic Area (EEA) unless adequately protected
All staff and others who process or use personal information on behalf of the company must ensure that they abide by these principles at all times.
UMi has implemented the following procedures to ensure compliance with the DPA:
Staff Guidelines for Data Protection
Staff have both obligations and rights under the Act and the UMi’s Data Protection Policy. They should ensure that they are familiar with this UMi Policy.
All staff should ensure that any types of personal data that they control are included in the registration of the relevant company. If in doubt, the Company’s Data Protection registration details should be consulted. The Data Protection Officer (DPO) has copies of these and they can also be searched on the ICO Site:
Staff who wish to know more about the Data Protection Act should raise this with their line manager, or the DPO, as well as visiting the Information Commissioner’s website for general information at https://ico.org.uk/
All staff are responsible for ensuring that:
- any personal data which they hold, whether in electronic or paper format, are kept securely;
- personal information is not disclosed either orally or in writing to any unauthorised third party;
- any personal data which they are required to disclose e.g. to funders or payroll processors is transmitted securely. For example this may be via a secure portal, or, where any personal data is to be transferred via email or attachments then this should be secured using appropriate encryption methods (see instructions for how to transmit data securely). All transfers not via a secure portal must be performed by an appropriate manager;
- they do not record inappropriate or unnecessary personal information and do not retain this for longer than necessary;
- customer data is kept up to date and accurate through ongoing checks with the customer throughout the relationship.
Staff should follow the ICT and Business Systems Security policy at all times.
In the event that there is a suspected data security breach, this should be reported immediately to Line Management and to the Chief Operating Officer who will instigate UMi’s Data Breach Action Plan and involve relevant staff and specialists eg HR, Business Systems. Steps will be taken immediately to contain the breach, assess the risks and make appropriate notifications; any breach where UMi is operating as Data Processor under a contractual agreement will be notified to the relevant data controller and it may also be necessary to notify individuals. Once the breach has been contained an investigation will be carried out to establish the reasons behind the breach. Where a serious breach has taken place UMi will notify the Information Commissioner’s Office. All necessary corrective and preventive steps as a result of the breach will be implemented.
Notification of Data Held and Processed
Anyone with whom we have had dealings is entitled to:
- know what personal information UMi holds and processes about them and know how to gain access to it
- know how to keep it up to date
- know what UMi is doing to comply with its obligations under the 1998 Act.
This will be notified via various means including Investment Centre contract and event attendance documentation, as well as via UMi privacy statement.
Objection to Marketing
Individuals have a right to object to their data being processed for marketing purposes. This must be actioned promptly and under no circumstances should the customer be re-contacted to try to persuade them otherwise.
Marketing permissions are recorded within the CRM and if a customer contacts us to be removed from our mailing lists, this must be updated and their details added to a suppression list.
Where a customer uses the unsubscribe function on an email, their details will automatically be suppressed from future marketing.
Retention of Data
UMi will need to keep some forms of information for longer than others, in line with financial, legal or funding requirements and this may vary from contract to contract. Personal data must not be retained for longer than necessary; full details regarding retention periods can be found within UMi’s document retention policy. Hard-copy and electronically-stored information will be destroyed using secure methods that comply with the data protection regulations that are in force at the time of its destruction.
Subject Consent to Processing Sensitive Information
In many cases UMi can only process personal data with the consent of the individual. If the data is sensitive, express consent must be obtained. For example we may collect details concerning the racial or ethnic origin of the data subject in the course of our dealings with customers. Customers signify during the collection process their consent to the processing of such sensitive personal data.
Rights to Access Information – ‘Subject Access Requests’
The Act gives individuals about whom UMi processes personal data a number of rights. In addition to their rights relating to our use of their personal data they also have the right to request access to the personal data which we hold about them.
Any person who wishes to exercise this right, making a Subject Access Request, (SAR) should make their request in writing to the DPO.
A fee of the sum of £10.00, which is UMi’s administration charge for this service, may be required. It may be waived depending upon circumstances on a case by case basis. The fee is non-refundable and covers a single search. Any subsequent request from that data subject will attract a fresh charge.
The receipt of a SAR will be acknowledged by UMi. The Data Protection Officer may require documents from the individual to establish his/her identity and confirm his/her address as well as details as to where they believe the requested information is held.
UMi aims to comply with requests for access to personal information as quickly as possible, however will ensure that it is provided within 40 calendar days unless there is good reason for the delay. In such cases the reason for delay will be explained in writing to the data subject initiating the request.
Where we have previously complied with an SAR, we will not be obliged to comply with a subsequent request unless a reasonable interval has elapsed. Given the type of personal data which we hold, it would normally be reasonable for us to insist upon an interval of three months between each subject access request. However, this interval could be less depending on the circumstances.
Publication of Company Information
Information that is already in the public domain is exempt from the conditions imposed by the Data Protection Act 1998.
The following information relating to persons associated with UMi is deemed to be in the public domain:
- names of all members of the boards of the companies within UMi.
Any individual having good reason for wishing personal details normally contained in these lists to remain confidential should contact the Data Protection Officer.
UMi’s internal phone list will not be a public document.
Personal names, company telephone numbers and e-mail addresses of staff may be published on UMi’s websites, unless the individual concerned indicates to the Data Protection Officer that they do not wish their personal details to be disseminated in this way.
Staff names only are routinely included in marketing materials such as press releases.
All staff will be made aware of this policy and receive appropriate training regarding their responsibilities under the DPA.
Data Protection Officer
UMi’s Data Protection Officer (DPO), is Kim Oliver, Central Services Director, e-mail address: firstname.lastname@example.org
Compliance and Review
Failure to comply with the DPA can, in extreme circumstances, lead to a company within UMi being prosecuted. Accordingly, there are no exceptions to this policy; non compliance may lead to disciplinary proceedings.
Compliance will be monitored through Internal and Quality Audit.
This policy will be reviewed at least annually and if further changes are required more frequently than this, due to changes to procedures or other circumstances, then they will be made and communicated as necessary.
The Privacy Statement will also be updated as required on an ongoing basis as circumstances change.
END OF DOCUMENT