In this section...

General Data Protection Regulation

The General Data Protection Regulation (‘GDPR’) is the new legal framework which came into effect on the 25th of May 2018 within the European Union.

The GDPR’s focus is the protection of personal data, i.e. data which directly or indirectly identifies individuals, and sets out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use.

Even before GDPR was unveiled, Education Umbrella acted largely in accordance with what was to become the new framework. Below are the terms by which Education Umbrella has interpreted the new legislation and ensured that it is acting in accordance with it, which form part of the Education Umbrella general terms and conditions.

Understanding and implementation of General Data Protection Regulation (EU) 2016/679.

Education Umbrella acts in both the capacity of a data controller and a data processor, and therefore undertakes to act according to some key principles:

  • Always processing personal data securely by means of appropriate technical and organisational measures.
  • Having always in place sufficient risk analysis, organisational policies, and physical and technical measures to satisfy the requirements of the Regulation.
  • Employing measures such as pseudonymisation and encryption in the storing and analysis of data wherever feasible.
  • Ensuring the confidentiality, integrity and availability of Education Umbrella’s systems and services, and the personal data it processes within them.
  • Having appropriate processes in place to test the effectiveness of its measures, and undertake any required improvements.
  • Gaining clearly demonstrable consent for all data collected.
  • Gaining consent only as a freely given, specific, informed and unambiguous indication of the wishes of the data subject, either by a statement or by a clear affirmative action, signifying agreement to personal data relating to them being processed
  • Being available for inquiries from data subjects on issues relating to data requests, data protection practices, withdrawal of consent, the right to be forgotten and related rights.

What data Education Umbrella collects and holds.

Education Umbrella collects personal data as part of a number of processes:

  • When registering online, Education Umbrella collects personal data required to securely identify a user, including but not necessarily limited to email address, full name, and job description (if applicable).
  • When ordering via any medium, Education Umbrella collects personal data required to deliver the products ordered, including but not necessarily limited to delivery address, email address, full name, phone number, and job description (if applicable).
  • When a customer or potential customer browses the Education Umbrella website, certain pieces of personal data may be collected. These may include, but are not limited to, full name, email address, and IP address.

Why Education Umbrella collects this data.

Fulfilling orders: Education Umbrella may utilise a customer’s personal data in order to provide the service for which the customer has employed them. This might include, but is not limited to: using personal data to deliver products to the data subject; using personal data to communicate the receipt of orders, invoices, payment confirmation, critical updates, or bespoke communication directly relating to an order; using necessary personal data to facilitate the digital delivery of certain digital products, such as (but not limited to) TEC products, Kerboodle or Dynamic Learning.

Marketing: Where demonstrable consent has been gained, personal data may be used in order to send relevant marketing to the data subject.

Analysis: Occasionally, Education Umbrella analyses data which may include personally identifiable data, or organisational information which could be correlated with personal data, leading to a classification of ‘inferred data’. Whilst not likely to result in a risk to the rights and freedoms of individuals, this should still be noted.

Documentation of processing activities.

Under Article 30 of GDPR, Education Umbrella qualifies as a small-or-medium-sized organisation, meaning that it documents data processing activities, but only those that:

  • are more than just a one-off occurrence/something it does rarely
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals)

The sharing of personal data by Education Umbrella with third parties, and the responsibilities of third parties with relation to General Data Protection Regulation.

In certain cases Education Umbrella passes personal data to third party data processors, for the purpose of providing the service for which it is employed by the customer, and only when necessary. For a full list of non-software/service subcontractors of Education Umbrella, and proof of their compliance with GDPR legislation, please see Appendix a. For a full list of software-based/service-provider third-party data processors, and proof of their compliance with GDPR legislation, please see Appendix b.

Employment at Education Umbrella relating to General Data Protection Regulation.

The employee code of conduct specifies rules governing the use and misuse of personal data within Education Umbrella. Foundational principles include:

  • Personal data to be accessed via authorised devices only;
  • Personal data not to be sent to anybody except authorised contacts working for documented subcontractors, and then only where necessary;
  • Copies of personal data to remain on devices only for as long as they are necessary, before being securely deleted.
  • Personal data not to be accessed by anybody without a sound and necessary business reason to do so.

Standard contract terms at Education Umbrella include clauses to ensure the above is at all times understood and abided by. Furthermore, all Education Umbrella employment contracts include confidentiality and gross misconduct clauses to ensure that personal data of any sort is not communicated outside the organisation.

Breach notification process.

In an instance of a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, Education Umbrella will report the breach to the ICO without undue delay and within 72 hours where feasible. Where such breach is likely to result in a high risk to the rights and freedoms of individuals, Education Umbrella will communicate information regarding the personal data breach to the affected data subjects without undue delay.

Education Umbrella makes records of all breaches, regardless of whether or not they are reported to the ICO, documenting the facts relating to the breach, its effects and the remedial action taken in accordance with Article 33(5).

Deletion of personal data upon request.

Upon request, Education Umbrella follows a documented process to remove all personally identifiable information from its systems, backups, and archives, and to notify all downstream data recipients of such a request, in accordance with Article 17 of the GDPR (the right to erasure). Any customer has a right to make such a request and have it fulfilled without charge, under the condition that the data is no longer required for the reasons for which it was collected – about which Education Umbrella will notify the requester. To make such a request, please send an email to admin@educationumbrella.com with the subject line ‘REQUEST FOR DELETION OF PERSONAL DATA’, and include your full name, the email address(es) you wish to be removed, and your school address (if applicable).

Education Umbrella undertakes to respond to such requests within three working days, and to delete all personal data within 30 days.

Other rights under GDPR.

As well as the right to erasure, the GDPR introduces a series of rights for individuals who are subjects of private data, with which Education Umbrella fully complies. These rights are briefly outlined below. Where requests are made, Education Umbrella undertakes to respond within one calendar month.

Your right

Substance

How to exercise

Right to be informed

What Education Umbrella collects and holds relating to a data-subject, and why.

All information is contained in this document (the Education Umbrella privacy policy).

Right of access

A data-subject has the right to access their personal data held by Education Umbrella, without charge (except in exceptional cases).

Request via email to admin@educationumbrella.com with the subject line ‘REQUEST FOR ACCESS TO PERSONAL DATA’, or phone call to 01242 604408, include your full name, email address(es), and address(es) (where applicable).

Right to rectification

A data-subject has the right to rectify inaccuracies in their personal data held by Education Umbrella, without charge (except in exceptional cases).

Request via email to admin@educationumbrella.com with the subject line ‘REQUEST FOR RECTIFICATION OF PERSONAL DATA’, or phone call to 01242 604408, include your full name, email address(es), and address(es) (where applicable).

Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data.

Request via email to admin@educationumbrella.com with the subject line ‘REQUEST FOR RESRICTION OF PROCESSING, or phone call to 01242 604408, include your full name, email address(es), and address(es) (where applicable).

Please note that this is not an absolute right and in certain instances may not be possible.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Where a request for access to data is made, the resulting data will be provided in a structured, commonly used and machine readable formats.

Right to object

The right of individuals to object to the processing of their personal data in certain circumstances.

Request via email to admin@educationumbrella.com with the subject line ‘REQUEST FOR RESRICTION OF PROCESSING, or phone call to 01242 604408, include your full name, email address(es), and address(es) (where applicable).

Please note that this is not an absolute right and in certain instances may not be possible.

Rights related to automated decision making including profiling

Multiple, please see: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/

Relevant details will appear in this privacy policy, or to request further information or for human intervention into processing of an individual’s personal data, send an email to admin@educationumbrella.com with the subject line ‘REQUEST RELATING TO AUTOMATED DECISION MAKING’, or phone call to 01242 604408, include your full name, email address(es), and address(es) (where applicable).

For further information on your rights, refer to the ICO website’s section on individual rights (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/).

Any customer may make a request according to any of their rights by sending an email to admin@educationumbrella.com with the subject line ‘REQUEST FOR [THE RIGHT YOU ARE REQUESTING]’, and include your full name.

Appendix a: Subcontractors

Below is a full list of subcontractors employed by Education Umbrella and involving the sharing of personal data from Education Umbrella to the subcontractor:

Subcontractor

Purpose

Personal data shared includes

GDPR Compliance

Bertrams, 1 Broadland Business Park, Norwich, Norfolk, NR7 0WF

Fulfilment of orders

Customer name, phone number and given address.

https://www.bertrams.com/img/bert2.0/help/BertramsPrivacyStatement2018.pdf

Hodder & Stoughton Limited, Carmelite House, 50 Victoria Embankment, London EC4Y 0DZ

Fulfilment of digital product orders

Customer full name, email address and school address (where applicable).

https://www.hoddereducation.co.uk/privacynotice

Oxford University Press, of Great Clarendon Street, Oxford OX2 6DP

Fulfilment of digital product orders

Customer full name, email address and school address (where applicable).

TBC

Pearson, 80 Strand

London

WC2R 0RL

Fulfilment of digital product orders

Customer full name, email address and school address (where applicable).

https://www.pearson.com/uk/pearson-privacy-and-you/privacy-policy/digital-learning-services-privacy-policy.html

Contract, available upon request.

In2Print, Phoenix House, Elmstone Business Park, Stoke Road, Elmstone Hardwicke, Cheltenham, Gloucestershire GL51 9SY

Postal marketing

Customer full name, department and school address (where applicable).

Contract, available upon request.

Appendix b: third-party hosted software and services

Software/service

Purpose

Personal data shared includes

GDPR Compliance

ActiveCampaign LLC

Email marketing

Customer email address, full name

Contract, available upon request.

Google Analytics

Website analytics

Customer email address, full name, IP address

https://privacy.google.com/businesses/compliance/#?modal_active=none

Amazon Web Services

Database hosting

Customer email address, full name, job title, delivery address(es),

https://aws.amazon.com/compliance/gdpr-center/

https://aws.amazon.com/compliance/data-privacy-faq/

Sage Ltd

Online payment processing

Payment card details, billing address, email customer full name.

http://www.sage.com/company/gdpr