4C UR Future

4C UR Future Privacy Notice

4C UR Future CIC (registered company number NI659959) take the protection of personal data very seriously. By using our website and/or engaging with our services, you consent to the collection, storage, processing, and transfer of your information under the terms of this Notice, together with our Terms of Use

We process personal data to deliver our services to, and manage our relationships with, our stakeholders and service users. This includes: young people; our members and supporters; volunteers; schools, Further and Higher education; local and central government; suppliers; and others who interact with our organisation. 

 

In addition to service delivery, the processing of personal data enables us to operate more effectively and efficiently, to better understand how we can meet and exceed the needs of our stakeholders and service users, and ultimately helps us achieve our goal of ensuring every young person in Northern Ireland is involved, informed, and inspired to make more empowered education and career choices.

 

We process personal data in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) – collectively referred to as Data Protection Legislation – and the Privacy and Electronic Communications Regulations (PECR). 4C UR Future CIC is the Data Controller for your personal data, and is registered with the Information Commissioner’s Office (ICO), registered number: XXXXX.

 

This Privacy Notice tells you what to expect when we collect and use your personal data. We aim to be clear and transparent, and to use your information in a way that you would reasonably expect us to.

What personal data do we typically process?

We process personal data relating to the young people and service users we engage with through our programmes, interventions, and website/Careers Portal, as well as our members and supporters, volunteers, wider stakeholders, and others who engage with us about our activities.

We typically process the following personal data:

  • Full name and contact information, such as a phone number, email address, and postal address.
  • Next of kin and/or emergency contact details, where required.
  • Religious/community background (optional), gender identity (optional), sexual orientation (optional), ethnicity (optional), and date of birth, where this information is relevant to us providing a service.
  • Information relevant to an individual’s employment history and professional activities, where required.
  • Demographic information, such as your preferences, interests, and activities.
  • Information relevant to disabilities, learning difficulties, and/or medical conditions, where this information is relevant to us providing a service.
  • Criminal conviction information, where required.
  • Images captured as still photos or video for promotional purposes, with consent.
  • Website/Careers Portal usage and engagement information.
  • Other information relevant to education and careers-related research and/or the provision of our services.

Information we process may include “sensitive data”, such as ethnicity, religious/community background, and information concerning criminal offences. This is usually needed to comply with legislation, to ensure equality of opportunity in the provision of our services, and for data analysis purposes. Where “sensitive data” is being processed, the reason why it is needed will be made clear.

In relation to young people (under the age of 18), we aim to ensure the personal data we process is limited, in so far as is reasonably practicable, to enable us to deliver our services. We have conducted a Data Protection Impact Assessment (DPIA) in relation to the processing of personal data of young people, and our Careers Portal has been developed in line with the Age Appropriate Design Code (pending ACCS 3:2021 accreditation). Individuals under the age of 13 should ask permission of a parent/guardian before sharing personal information with anyone.

How do we obtain this information?

We process personal data obtained from a variety of sources, including:

  • Information you provide directly, for example by registering with our website, filling in forms on our website, or corresponding with us by phone, email, or otherwise, including information from attending our event(s), signing up to receive email newsletters, and any forms of interactivity on our website and/or social media.
  • Information we receive indirectly from third parties, for example if a school registers their pupils to attend an event, or if we are working closely with third parties such as Delivery Partners and they provide us with information, such as employers/businesses, Local Authorities, analytics providers, etc.
  • Information we process automatically, for example we collect anonymous information from visitors to our website including geographical location, browser type, device type, referral source, length of visit, page views, and website clicks. We use this information to help us improve our website and the information/ services we provide. If you are signed in to our Careers Portal as a registered user, we will also know how you use our website, which helps us give you a better and more personalised experience.
  • Information that is publicly available, such as on Companies House, in news articles, or open postings on online directories and social media platforms such as Facebook and LinkedIn.
  • We review and amend/update the information we hold regularly to make sure it is as up to date and accurate as possible. We would appreciate it if you could inform us of a change in your contact details.

What are the lawful bases for us processing this information?

Under Article 6 of the GDPR, we must have a legal reason to process personal data. The lawful bases for processing the majority of the information we hold are:

  • Contract: processing of personal data is necessary for the performance of a contract to which the individual is party to, for example Contracts of Employment, or the provision of our services.
  • Compliance with a legal obligation: processing of personal data is necessary for the organisation to comply with its legal obligations, for example employment law, or Equal Opportunities legislation.
  • Vital interests: processing of personal data is necessary to protect the vital interests of the individual, for example information in relation to Safeguarding concerns.
  • Legitimate interests: processing of personal data is necessary for the legitimate interests of the organisation, or third parties, except where such interests are overridden by the fundamental rights and freedoms of the individual. A Legitimate Interests Assessment (LIA) may be required to consider and balance any potential impact on the individual from processing the data.
  • Consent: processing of personal data is conducted with the individual’s consent for one or more specific purposes, for example when an individual signs up to receive our email newsletters.

In relation to young people (under the age of 18), we comply with the Age-Appropriate Design Code, a data protection Code of Practice for online services aimed at, or likely to be accessed by, children. This comprises of 15 standards that must be implemented or considered in the processing of children’s’ data.

Individuals are under no obligation to provide us with personal data. However, where the provision of personal data is part of a statutory or contractual requirement or obligation, and that personal data is not provided, we may be unable to fulfil our statutory or contractual requirement/s or obligation/s, in whole or in part, which may result in the individual being unable to access and/or benefit from our services.

What do we do with this information?

If you are a young person, service user, teacher, business, volunteer, or another individual participating in one of our programmes, interventions, or events, or using our website/Careers Portal, we will use your information to provide you with the service(s). Other uses of information we collect include, but are not limited to:
  • Administering our website/Careers Portal and analysing your use of our website/Careers Portal to make improvements to its content, aesthetics, and functionality to improve your user experience.
  • Analysing your use of our Careers Portal, combined with information obtained from your attendance at our event(s), and your completion of surveys and digital activities, to provide you with a Personal Feedback Profile, and personalise your experience of our Careers Portal, which may include making suggestions for content we think you might be interested in and/or signposting you to relevant third parties.
  • Providing you with information about other services, products, or information we think you might be interested in, including signposting to relevant opportunities and resources, invitations to events, and opportunities to participate in relevant research.
  • Keeping a record of our relationship with you and the contact we have had with you.
  • Sending you email newsletters, or other communications, which you have signed up to receive, or are registered to receive as an active service user. Individuals can unsubscribe from the email newsletter at any time. However, active users of the Careers Portal cannot unsubscribe from communications relating to the operation of the Portal, or notifications relating to its security.
  • We may use tracking tools to improve the effectiveness of our communications with you, such as tracking whether you open emails and which links you click within a message, if any.
  • Contacting you for your opinions, views, and feedback on our services. We may contact you via post, telephone, SMS, or email. If you prefer not to be contacted by any of these means, you can let us know.
  • Other purposes consistent with the proper performance of our operations and business, and consistent with the purposes and legal bases for us processing your personal data in the first instance, and which you would reasonably expect an organisation involved with careers education and support to undertake.

Despite all of our precautions, no data transmission over the internet can be guaranteed to be 100% secure. Whilst we will always strive to protect your personal data, we cannot absolutely guarantee the security of any information you disclose, and wish to draw your attention that you do so at your own risk.

How do we protect your personal information?

We are committed to ensuring that your information is secure, and develop our systems with data protection measures by design and by default. To prevent unauthorised access, disclosure, or accidental deletion, we have in place suitable and sufficient physical, electronic, and operational procedures to safeguard and secure the information we process, for example:
  • Our hardware and software are password protected, with 2-Factor Authentication, where possible.
  • Access to data is based upon the “need to know” principle, with different levels of access for management, employees, and volunteers (where required).
  • Management, employees, and volunteers receive relevant training on data protection.
  • Depending on the nature of personal data processed and its storage location, we use a range of suitable antivirus, anti-malware, anti-adware, and firewalls, in addition to encryption.
  • We have a Confidentiality Policy and Data Protection Policy in place, which all Delivery Partners and employees/volunteers must comply with.
  • We have Data Processor Agreements in place with any third party that carries out a service on our behalf, which requires access to personal information.
  • We may use reputable third-party platforms to store information in a database, such as WordPress, OneDrive, Google Drive, HubSpot, MailChimp, etc.
  • Personal data is processed for as long as is necessary in line with our legal obligations and/or legitimate interests. We will securely erase and/or destroy personal data when our legal obligations and/or legitimate interests are no longer applicable. This does not affect personal data that has been anonymised.
  • Users registered to our website/Careers Portal have password protected accounts. We do not know your password. Should a user forget their password, they can reset it via the system or by contacting us.
  • Registered users are restricted to three failed login attempts before being locked out of their account for five minutes. After a further two failed login attempts, users are locked out for one hour. This process will continue until either a successful login, or contact is made with us, so we can help you to resolve the issue.
  • If you are a registered user, we may close your account if it has been inactive for at least three (3) years. We will send you an email to let you know we plan to do this before we close the account. When accounts are closed, non-identifying information will be maintained for longitudinal data analysis.

Despite all of our precautions, no data transmission over the internet can be guaranteed to be 100% secure. Whilst we will always strive to protect your personal data, we cannot absolutely guarantee the security of any information you disclose, and wish to draw your attention that you do so at your own risk.

Visitors to our website

Our website is securely hosted and built on industry-leading platforms. When someone visits our website, we use secure third-party services and plug-ins to collect standard and anonymous internet log information, such as user activity and page visits, to monitor the effectiveness of our website, and help us improve it. We cannot identify website users from the information collected.

Registered users of our Careers Portal gain access to areas of the website that are not available to non-registered users. We collect standard user data on how registered users interact with our Careers Portal to help us make it more user friendly, provide more and better information, resources, and services, and to personalise a user’s experience of our Careers Portal.

We want our website and Careers Portal to be as informative and useful as possible, so we may signpost users to links for websites and resources hosted by third parties. Please be aware that we do not control third-party websites, which may send their own cookies to users, or otherwise collect personal information and data.

We assume no responsibility for the information gathering practices of third-party websites that you are able to access through our own website. We encourage you to review the Privacy Policy/Notice of third-party websites before disclosing any personally identifiable information to them.

Cookies

Cookies are text files placed on your device to collect standard internet log and website visitor behaviour information. Like most websites, we use cookies to help make our website, and the way you use it, better.

Cookies do not enable us to identify you as an individual. A cookie in no way gives us access to your device. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies, if you prefer. However, this may prevent you from being able to use or access parts of our website.

We use cookies for the following purposes:
  1. Strictly necessary cookies: required for the operation of our website, for example to allow you to login to restricted areas for registered users only.
  2. Analytical/performance cookies: allow us to, for example, count the number of visitors to our website and see (anonymously) how users navigate our website. This information helps us to improve how our website works.
  3. Functionality cookies: allow us to recognise you when you return to our website, for example when you select for your device to remember your login information to simplify the login process.
  4. Targeting cookies: allow us to record your visit to our website, the pages you have viewed, and the links you have followed. This information allows us to create targeted advertising through websites such as Facebook, to ensure our advertising is more relevant to your needs and interests.

For further information on cookies, visit www.aboutcookies.org or www.allaboutcookies.org.

Our email newsletter

We use a third-party provider to deliver our email newsletter. We gather statistics about email performance to help us monitor and improve. Current service users and registered users of our website will receive our email newsletter via “soft opt-in”. Anyone who wishes to receive our email newsletter can provide consent to opt-in.

You can unsubscribe at any time by clicking “unsubscribe” in any of our emails, or by sending your request to be removed from the recipient list via email to info@4curfuture.com. If you are a service user, unsubscribing from marketing emails will not unsubscribe you from service emails that relate to the operation of the website/Careers Portal.

Social media

We have social media profiles on Facebook, Twitter, LinkedIn, Instagram, and YouTube. If you send us a private or direct message via social media, the message will be stored on the relevant site.

Your data and third parties

We do not disclose or sell personal data to any third parties for the purposes of direct marketing. We may share personal data to third party providers of services to the organisation, who assume the role of a Data Processor. Data Processor Agreements are in place with any third parties who have access to personal data in the fulfilment of their duties/contracts. Data Processors are obliged to keep your information secure and use the information only to fulfil specific purposes that are agreed, in writing, with us (the Data Controller). For example, the information we collect may be analysed anonymously and at scale to provide insights into behaviours and perceptions in relation to education and careers. A third-party data analyst may provide these services. Individuals are not identifiable from the collated analysis of information.

We will share personal information with third parties where we are required to do so by law, where it is necessary for us to deliver our services (such as a compliant Data Processor, as outlined above), or where there is a legitimate interest in doing so, for example with funding bodies, Government Agencies and associated Statutory Bodies, Social Welfare Organisations, the Careers Service, legal representatives, and potentially other such organisations for defined purposes.

Transferring personal data

Personal data we process may be transferred and stored at a destination within the European Economic Area (EEA), or to countries that are covered by a European Commission ‘adequacy decision’. For example, the servers that store the information held on our Careers Portal are located in the UK, and the servers that store the information held on our cloud-based storage system are located in the EEA. By submitting your details, you agree to this transfer. Personal data we process will not be transferred or stored at any other destination outside of the EEA without your consent.

In the event that we sell or buy any business or assets, we may disclose personal data held by us to the prospective seller or buyer, in which case personal data held by us will be a transferable asset.

Retention of personal data

Personal data is retained for as long as is necessary to fulfil the purpose/s for which it was originally processed. Retention periods may vary based upon: the organisation’s legal obligations, the organisation’s legitimate interests, or another appropriate reason. 4C UR Future maintain a Record of Processing Activities, which outlines the retention periods for each category of personal data processed.

Your rights

Under the General Data Protection Regulation, the Data Protection Act, and the Privacy and Electronic Communications Regulations, you have rights as an individual, which you can exercise in relation to the information we hold about you. For more information see https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/.

Access to information (Subject Access Requests)

Individuals can find out if we hold any of their personal information by making a ‘Subject Access Request’ under the General Data Protection Regulation. If we do hold information about you, we will: give you a description of it; tell you why we are holding it; and let you have a copy of the information in an intelligible form.

To make a request for any personal information we may hold, you need to put the request in writing, and send it to info@4curfuture.com. If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone or via email. We will conduct ID checks before releasing any information.

You can request that some or all of the data we hold about you is deleted at any time. However, the request for deletion will not include any non-identifiable aggregate data. Any deletion requested will be made within 30 days of receiving such a request, with confirmation of data deletion, in writing, via email.

Your rights as a Data Subject

If we process your personal data, you are referred to in law as a Data Subject. Under legislation, you have the right to:

  • Be informed about what we do with your information at the point of data collection.
  • Access your personal data that we process.
  • Rectify inaccuracies in the personal data we hold about you.
  • Be forgotten – this means you have the right to request your personal data is removed and/or deleted from our systems, except for information we are legally obligated to maintain.
  • Restrict the processing of your personal data, except for information we are legally obligated to process.
  • Obtain a copy of your personal data in a commonly used electronic form (see Subject Access Requests).
  • Object to certain processing of your personal data by us.
  • Request that we stop sending you direct marketing communications, for example by unsubscribing from our email newsletter.
  • Withdraw consent, only where data we process relies on your consent as the legal basis. The withdrawal of consent does not affect the legality of the processing prior to when consent is withdrawn.

Queries or complaints

We aim to meet the highest standards of data protection. We take any complaints we may receive very seriously. We encourage individuals to bring it to our attention if they think that our collection or use of personal information is unfair, misleading, or inappropriate. If you have any questions about this Privacy Notice, or our processing of your personal information, you can contact us by emailing info@4curfuture.com.

You can also contact the Information Commissioner’s Office (ICO) at www.ico.org.uk to find out more. The ICO is the UK’s independent authority, set up to uphold information rights in the public interest.

This Privacy Notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to info@4curfuture.com.

Data Controller Information

4C UR Future CIC is the Data Controller for your personal data and information.
C/O Catalyst Innovation Centre
Queens Road
Belfast
BT3 9AD

Email: info@4curfuture.com.
Personal Data Responsible Person: Rachel Doherty, Managing Director.

Changes to this Privacy Notice

We reserve the right to make changes to this Notice. Any changes to this Notice will be posted on this page and be clearly identified. Please check back frequently to see any updates or changes. This Privacy Notice was last updated on 14th November 2021.