Privacy Notice for OPEN SME Programme


This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with data protection legislation. It applies to all current and former employees, workers and contractors and does not form part of any contract of employment or other contract to provide services.

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.


Who we are?

The OPEN SME Programme is an online programme developed by a consortium led by Manchester Metropolitan University involving University of Bolton, University of Manchester, and University of Salford; and is funded by the Greater Manchester Combined Authority and Growth Company. We are committed to protecting the privacy and security of your personal information.

The funder Greater Manchester Combined Authority is the data controller. The University and our partners are data processors. We are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.


What information does the OPEN SME Programme collect?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are special categories of more sensitive personal data, which require a higher level of protection.

The types of information we will collect and hold about you include:

  • Personal contact details such as your name, title, address, telephone numbers, email
  • Business data: business name, address, company house number, UTR (where applicable), business legal status, age of business, sector, turnover, profit, number of employees, selling channels, etc.
  • Other support programmes you attended before.
  • Where applicable, information about the requested business support needs and potential provision and assistance suggested to/agreed with you.
  • Information about your use of or participation in the online programme, including but not limited to the number of logins, time of participation, length of participation, module study statistics, diagnostic/assessments/benchmarking scores/reports.
  • Correspondence with or about you, for example email or letters to you about the programme and support requested or provided through us.
  • Photographs for use in marketing.
  • Recordings of your attendance and participation in our online clinic/drop-in sessions.


We may also hold categories of more sensitive personal information: equality monitoring information such as information about your age, gender, ethnic origin, disability.

Most of the information we hold about you will have been provided by you, but some may come from other external sources and intermediaries, such as referrals from the University partners. Data will be stored in the online programme platform, the University’s designated secure SharePoint locations, email systems and project-based CRM system.

The purposes of the processing / why does the OPEN SME Programme process personal data?

This section includes an explanation of our lawful basis for processing.


We will only use your personal information when the law allows us to. The University needs to process data to enter into a contract with you and to comply with our contractual obligations, for example, providing you with the agreed business support services, making claims to funders supporting the projects or undertaking many of the activities listed in the following paragraph. It also needs to process your data in order to comply with legal obligations, for example, subsidy control legislation.

The OPEN SME Programme needs to process personal data to pursue its legitimate business interests. Processing personal data allows the project to:


  • Operate recruitment and promotion
  • Maintain accurate and up-to-date programme participant records and contact details.
  • Operate and keep a record of activities and outcomes of the programme.
  • Maintain contact with you to ascertain the impact and results of the programme and your learning experience.
  • Communicate with you regarding learning journey progress, content updates, and programme news.
  • Provide referrals where applicable and appropriate to other business support agencies we believe could help you and your business.
  • Maintain and promote equality in the
  • Undertake business management and planning, including accounting and auditing.
  • Perform analysis aimed at improving programme quality, effectiveness and user experience.
  • Obtain feedback and conduct evaluations to enable further development and improvement of our projects (current and new).
  • Ensure network and information security and compliance with information and communication


Where the OPEN SME Programme relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees and has concluded that they are not.

Where we process special categories of personal information, such as those relating to your ethnicity, disability, or gender identity, this is done for the purposes of equal opportunities and diversity monitoring.

Some of the above grounds for processing will overlap and there may be several grounds, which justify our use of your personal information.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you if this position changes.


Recipients / who has access to data?

Your information may be shared with project delivery staff of Manchester Metropolitan University as well as the University’s Partners and Funders mentioned previously (and its representatives and auditors).

We will only disclose information about you to third parties if we are legally obliged to do so or where we need to comply with our contractual obligations, for instance we may need to pass on certain information about you to the relevant funding bodies. The OPEN SME Programme also shares data with third parties that process data on its behalf, for example consultants and auditors.

We do not send your personal data outside the European Economic Area. If this changes in the future, you will be notified of this and the safeguards in place to protect the security of your data.


How does the OPEN SME Programme protect data?


The OPEN SME Programme takes the security of your data very seriously and has internal policies and controls in place to try and ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by its employees in the performance of their duties. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. For more information, please see the University’s Data Protection Policy.

Where the OPEN SME Programme or the University asks third parties to process data on its behalf, for example consultants or evaluators, they do so on the basis of written instructions, are under a duty of confidentiality and must ensure that they have appropriate technical and organisational measures in place to keep the data secure.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


Data retention / how long does the OPEN SME Programme and University keep data?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, contractual or reporting requirements.

Your personal data will be stored throughout your involvement with the OPEN SME Programme, and for a period afterwards: due to funding requirements, OPEN SME programme data need to be retained until at least 31st December 2035 or until notified by the funder that records can be destroyed.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once project records are no longer required contractually and/or for statutory purposes, we will securely destroy your personal information in accordance with our data retention policy.


What if you choose not to provide personal data?

Where applicable, certain information are required to allow the OPEN SME Programme to enter into a contractual relationship with you as project funding streams have eligibility criteria that must be complied with.

OPEN SME programme is funded by public funding. You have certain obligations as a beneficiary of the programme to provide the OPEN SME Programme with data, in order, for example, to ascertain eligibility to access the funded support; ascertain previous state aid / UK subsidy awards etc.


Your duty to data accuracy

It is important that the personal information we hold about you is accurate and current. At the point that participants agree to enrol on the programmes, the University relies on the individual to provide accurate information and keep your own online profile up to date and accurate.


Data subject rights

As a data subject, under data protection legislation, you have various rights in relation to your personal data. You can:

  • Request access to your own data by making an access request – this enables you to receive a copy of the personal information we hold about you and check that we are lawfully processing
  • Request that we erase your personal data where we are not entitled by law to process it or it is no longer needed for the purpose it was
  • Request that processing of your data is restricted – this enables you to ask us to suspend the processing of personal information about you, for example if you want to establish or ascertain the reason for processing it.
  • Object to processing of your personal information where we are relying on our legitimate interests and there is something about your particular situation which makes you want to object to processing on this
  • Request the transfer of your personal information to another

In most situations, we will not rely on your consent as a lawful basis for processing your data. If we do request your consent to process your data for a specific purpose, you are under no obligation to provide it and you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before your consent was withdrawn.

If you wish to make an access request or assert any of the rights detailed above, please contact the Data Protection Officer using the contact details below.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) as the supervisory authority in respect of the processing of your personal data. We would encourage you to expend our internal complaints procedure through our initial contact and the University Data Protection Officer, prior to contacting the ICO. If you wish to contact the ICO the following contact information can be used: or telephone: 0303 123 1113. For any further contact information please see:


Contacting us

For further information about this privacy notice, and how we process your data, please contact in the first instance.


The University’s Data Protection Officer can be contacted using the e-mail address or by calling 0161 247 3884 or in writing to: Data Protection Officer, Legal Services, All Saints Building, Manchester Metropolitan University, Manchester, M15 6BH.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.