Privacy Notice for the Greater Manchester Cyber Foundry

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with data protection legislation. It applies to all current and former employees, workers and contractors and does not form part of any contract of employment or other contract to provide services.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.

Who we are

The Greater Manchester Cyber Foundry, a partnership between Manchester Metropolitan University, Lancaster University, University of Manchester and University of Salford, is committed to protecting the privacy and security of your personal information.

The Greater Manchester Cyber Foundry partners are “data controllers”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

What information does the Greater Manchester Cyber collect?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are special categories of more sensitive personal data, which require a higher level of protection.

The types of information we hold about you include:

  • personal contact details such as your name, title, address, telephone numbers, email address, information from due diligence check e.g. directorships and other relevant business interests;
  • date of birth and gender (where applicable, for example: start-up support);
  • evidence of your nationality and eligibility to work/start-up a business in the UK (where applicable for example: start-up support)
  • information about the requested business support needs and potential  provision and assistance suggested to/agreed with you;
  • correspondence with or about you, for example letters to you about the start-up/business support requested/  provided about/through our projects;
  • your national insurance number (where applicable);
  • information about your use of our information and communications systems;
  • photographs for use in marketing.

We may also hold the following categories of more sensitive personal information: equality monitoring information such as information about your marital status, ethnic origin, sexual orientation, religion or belief;

Most of the information we hold about you will have been provided by you, but some may come from other external sources and intermediaries, such as referrals from the Growth Hub; Chambers of Commerce, MHCLG etc. Data will be stored in a range of different places, including your beneficiary file, and in other IT systems, such as the University partners email system and project-based CRM system.

The purposes of the processing / why does the GMCF process personal data?

This section includes an explanation of our lawful basis for processing.

We will only use your personal information when the law allows us to. The University needs to process data to enter into a contract with you and to comply with our contractual obligations, for example, providing you with the agreed business support services, making claims to funders supporting the projects or undertaking many of the activities listed in the following paragraph. It also needs to process your data in order to comply with legal obligations, for example, state aid legislation.

The Greater Manchester Cyber Foundry also needs to process personal data to pursue its legitimate business interests. Processing personal data allows the project to:

  • operate recruitment and promotion processes;
  • determine the support, distribution and progress of beneficiaries of its projects and through its delivery partners;
  • maintain accurate and up-to-date project beneficiary records and contact details;
  • operate and keep a record of support provided through and funded by its project;
  • provide referrals where applicable and appropriate to other business support agencies we believe could help you and your business;
  • maintain and promote equality in the workplace;
  • undertake business management and planning, including accounting and auditing;
  • maintain contact with you to ascertain the impact and results of the support provided;
  • obtain feedback and conduct evaluations to enable the development and improvement of our projects (current and new);
  • ensure network and information security and compliance with information and communication policies.

Where the Greater Manchester Cyber Foundry relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees and has concluded that they are not.

Where we process special categories of personal information, such as those relating to your ethnicity, religious beliefs, sexual orientation, disability or gender identity, this is done for the purposes of equal opportunities monitoring.

Some of the above grounds for processing will overlap and there may be several grounds, which justify our use of your personal information.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you if this position changes.

Recipients / who has access to data?

Your information may be shared with project delivery partners, including: Manchester Metropolitan University, Lancaster University, University of Manchester and University of Salford, as well as the Ministry for Housing, Communities and Local Government.

We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual obligations, for instance we may need to pass on certain information about you to the relevant funding bodies supporting the Unit and its Projects. The Greater Manchester Cyber Foundry also shares data with third parties that process data on its behalf, for example consultants and auditors.

We do not send your personal data outside the European Economic Area. If this changes in the future, you will be notified of this and the safeguards in place to protect the security of your data.

How does the Greater Manchester Cyber Foundry protect data?

The Greater Manchester Cyber Foundry takes the security of your data very seriously, and has internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. For more information, please see the University’s Data Protection Policy.

Where the Greater Manchester Cyber Foundry or the University asks third parties to process data on its behalf, for example consultants or evaluators, they do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention / how long does the GMCF and University keep data?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, contractual or reporting requirements.

Your personal data will be stored throughout your involvement with the Greater Manchester Cyber Foundry project, and for a period afterwards: due to funding requirements all ESIF funded projects will need to be retained until at least 31st December 2035 or until notified by Government that records can be destroyed.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once project records are no longer required contractually and/or for statutory purposes we will securely destroy your personal information in accordance with our data retention policy.

What if you choose not to provide personal data?

Certain information, such as contact details, your eligibility to work in the UK etc. are required to allow the Greater Manchester Cyber Foundry to enter into a contractual relationship with you as project funding streams have eligibility criteria that must be complied with.

You have certain obligations under your beneficiary contract to provide the Greater Manchester Cyber Foundry with data. For example, to ascertain eligibility to access funding support; ascertain previous state aid awards etc.

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Data subject rights

As a data subject, under data protection legislation, you have various rights in relation to your personal data. You can:

  • request access to your own data by making an access request – this enables you to receive a copy of the personal information we hold about you and check that we are lawfully processing it;
  • request that we correct any inaccuracies in the data that we hold about you;
  • request that we erase your personal data where we are not entitled by law to process it or it is no longer needed for the purpose it was collected;
  • request that processing of your data is restricted – this enables you to ask us to suspend the processing of personal information about you, for example if you want to establish its accuracy or the reason for processing it;
  • object to processing of your personal information where we are relying on our legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground;
  • request the transfer of your personal information to another party.

In most situations we will not rely on your consent as a lawful basis for processing your data. If we do request your consent to process your data for a specific purpose, you are under no obligation to provide it and you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before your consent was withdrawn.

If you wish to make an access request or assert any of the rights detailed above, please contact the Data Protection Officer using the contact details below.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the supervisory authority in respect of the processing of your personal data. We would encourage you to expend our internal complaints procedure through our initial contact and the University Data Protection Officer, prior to contacting the ICO. If you wish to contact the ICO the following contact information can be used:  casework@ico.org.uk or telephone: 0303 123 1113. For any further contact information please see: https://ico.org.uk/global/contact-us/.

Contacting us

For questions or concerns about this Privacy Notice or how we store and use your personal information, please contact Chris Taylor, on 0161 247 3381, or by e-mail christopher.taylor@mmu.ac.uk in the first instance.

Data Protection Officer – The University’s Data Protection Officer can be contacted using thelegal@mmu.ac.uke-mail address or by calling0161 247 3884 or in writing to: Data Protection Officer, Legal Services, All Saints Building, Manchester Metropolitan University, Manchester, M15 6BH.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.