Executive Summary - Data Privacy
ScholarPack’s Management Information System (MIS) provides streamlined essentials for Primary schools. This policy applies to information about users of our services and anyone else’s data which is stored using our services.
ScholarPack is committed to protecting your personal information when you are using ScholarPack services. We want our services to be safe and useful for our audience. This policy applies to information held about you and individuals connected to your Organisation by ScholarPack which acts as either a data controller or a processor depending on its role, as described below.
- Who we are and how to contact us
- How ScholarPack may collect data from you and other data sources
- The laws that apply to our use of your information
- Our roles when handling your data
- What ScholarPack will use this information for and how it will protect it
- When ScholarPack may use your details to contact you with marketing
- Whether ScholarPack will disclose your details to anyone else and in any overseas country, and
- Your choices regarding the personal information you provide to us
We may need to update this policy and we will give you notice of this where reasonably possible; where you have given us your email address, we may use this to notify you of such changes and we will post a note on the sites to inform you that this policy has been updated. Please check this policy regularly to ensure you always understand how we use your information. All terms that are defined in this policy shall have the meanings given to them in the User Terms.
1. Who we are and how to contact us
ScholarPack’s MIS provides a light, cost-effective system that does the basics really well, filters out complexity, and is easy for your office team to master. ScholarPack gives you all the functionality you need, and nothing you don’t. We are part of the same group of companies as Governor Hub (which offers online resources to school governors), Arbor (which offers a management information system to schools) and The Key (which provides up-to-the-minute sector intelligence and resources that empower education leaders with the knowledge to act).
Our data protection lead (DPL) responsible for communicating with you about our use of your data can be contacted at firstname.lastname@example.org
2. How we collect data from you and other data sources
This policy relates to our use of any personal information we collect from you:
- From any ScholarPack website that links to this policy
- From your use of our MIS and any other products and services
- From you accessing official ScholarPack content on other websites including social media
You give us your personal data directly through setting up your user account profile and marketing preferences, submitting your data to the school’s MIS, commenting on content on our site, entering competitions and surveys, submitting ideas, booking event tickets as well as personal information you provide to us by phone, SMS, livechat, email, in letters and other correspondence and in person. It may also include data contained in content and records you upload to the site.
The types of this direct information we collect about you may include:
- Your name and job title
- Your user name
- Your email addresses
- Your postal address
- Telephone or mobile numbers
- Your relationship to other users e.g. as a guardian
- Your communication preferences
- Your user generated content
- Your billing details
- Your academic record including behaviour, attainment and attendance
- Your medical needs and dietary requirements
- Any Special Education Needs you may have
- Your school(s) / academies / trust at which you are registered as a user
- Your career experience
- Other information we receive from your organisation
- We may also process your training records
In addition, ScholarPack may receive and process technical data about you through:
- The information we get from your day to day use of our MIS (for example frequency of visits, how long you spend on each page and the content you view, interact with, download and upload)
- Your IP address (which is a number that can uniquely identify a specific computer or other network device on the internet) and other unique online identifiers such as Google Advertising IDs
- Your browser type
- Your device’s operating requirements and its settings and permissions
- Your location
We need this data to assist with customer and technical support, to verify your credentials and access levels and to help our business understand the way our users interact with our service.
We also may collect data from the following third-party data sources (provided such collection and use is in accordance with data protection laws):
- Any publicly available social media sources that may help us understand our audience and what products you might be interested in
- Our third-party service providers (e.g. to tell us you have paid for a product or extended your renewal or that a support ticket has been closed)
- Our group companies (e.g. to tell us what products you are likely to find interesting)
- Other subscribers to our services (i.e. through our ‘invite a colleague’ referral function or other individuals at your school (such as the teachers or administrators at your school)
- Third party list providers
3. The data protection laws and principles we honour
Whenever we process your personal information, we are legally obliged to use your information in line with all applicable laws concerning the protection of personal information, including the UK Data Protection Act 2018 as those laws may be replaced or amended from time to time. These laws are referred to collectively in this policy as the “data protection laws”.
A fundamental feature of the data protection laws is the establishment of privacy principles at Article 5 of the GDPR including the principles of transparency, purpose-limitation, data accuracy, retention/storage, data security and integrity, and data minimisation. We operate our business in accordance with these principles.
A key principle of the GDPR is that we must have a lawful basis to use your data.
The six forms of lawful basis that are available are summarised below:
1. Consent - The consent of data subject to the processing of his/her personal data
2. Contractual necessity - Processing is needed in order to enter into or perform a contract with the data subject
3. Legal obligations - The controller is obliged to process personal data for a legal obligation
4. Legitimate interests - There is a weighed and balanced legitimate interest where processing is needed and the interest is not overridden by the interest of the data subject
5. Public interest - Issues which are in the scope of public duties and interest
6. Vital interest - It is vital that data is processed for matters of life and death
Where we act as a data controller (please see section 4 below), we rely on two main legal bases for its use of your data.
Firstly, that our use is necessary in order to perform our contract with you (being our User Terms and any documents they refer to) and is a reasonably proportionate and integral use of your data. For example, this applies when we use your data to provide you with access to our resources and to fulfil orders for the products you have requested, to manage product and technical support, to bill you and to run integral support tools including engagement of essential third party providers.
Secondly, we rely on the ‘legitimate interests’ basis where our use of the data has been analysed to be balanced in our interests. This would cover our marketing and business intelligence and certain sales functions, certain of our analytics tools, our personalisation of your content, our processing of auto renewals, the development of our services and our engagement of third-party providers to provide any non-essential functions. We will continually assess our legitimate business needs against the need to maintain and protect your individual rights and freedoms. We are happy to make our assessment of our legitimate interests available to you upon request. In summary, we conduct a 3-stage test to challenge ourselves and confirm our legitimate interests to hold personal data as follows:
- We identify what our legitimate business interests are at any given time
- We check the necessity of processing the personal data for the purpose which we are intending. We check that there are not any less intrusive means to deliver the objective
- We make sure we weigh the balance of the interests of our business with the interests of the individuals whose personal information we hold
- We may also rely on your explicit consent on occasion during your online journey – for example to send you certain SMS messages, email messages, certain news briefings, some survey requests or where you wish us to help you share your professional experience with others
- When we do use your data and whichever legal basis we rely on, we will always ensure we consider that it is necessary and proportionate
4. Our roles as a data controller and a processor
In common with most businesses, we handle your data in two different ways – firstly as a data controller when we handle your data for our own business purposes and make decisions on how and why to do this. This includes when we use it for marketing, invoicing, service development and to provide you with the service you have subscribed to.
Data controller vs data processor
When is ScholarPack a Data Controller and when are we a Data Processor?
ScholarPack is a data controller when:
- Registering you as a user of our services and providing you with our online content and support
- Marketing to you, personalising your content and sending you surveys
- Messaging between you and us and invoicing
- Anonymising and aggregating your data to add to our benchmarking and analytics data sets. None of your personal data will ever be used for such benchmarking and analytics; we anonymize all data before such usage.
- Using usage and technical information you generate/customer support. This is for processing such as analytics, site usage, type of browser/device, frequency of visits, customer support and service development. We control the service as a product and are responsible for its performance, upgrade and fixes
ScholarPack is a data processor:
- When you use our MIS to access or provide information about teaching professionals and students
- When you use our site to upload records about third parties such as other teaching professionals within your organisation or students
We may use these records as a data controller also (e.g. to build a marketing profile for you) but when we display them to you we do so on behalf of your school organisation. We do not claim ownership over any of the data processed as a data processor but you grant us a licence to use that data in accordance with the User Terms and this policy.
5. What will ScholarPack use your information for?
We use your information:
- To provide you with access to our MIS
- To provide third party service providers which provide services to you or your school to access our MIS via an API and access and update the relevant information
- To manage and run integral product and technical support tools and to provide you with requested support
- To bill you, where relevant
- For our marketing functions including (unless you tell us otherwise) telling you about products and services we think may be relevant for you
- For business intelligence - to better understand our users and their locations so that we can personalise content, use analytical tools, improve online navigation and for product and service improvement
- To render it into an aggregated/anonymised data set for use in benchmarking across our subscribers and those of our group companies (see Section 7 in relation to our sharing of your information)
- To ensure the technical security and business continuity of our systems
- To aid the development and improvement of our services
- To enforce our legal rights and comply with our legal obligations
We may also (directly or through third party providers) use your information to contact you about subscription renewals.
We may also monitor information and communications which may be recorded for purposes of quality assurance, training and fraud prevention.
Do we use automated decision making?
We may use automated systems or triggers to help us identify your compliance with the User Terms and to help us make decisions, for example helping us to identify the relevance of products or services to users or to help us understand the renewal risk profile of an individual user or group of users. These decisions do not have a legal or significant effect on you and do not affect the price offered to you. Individuals may have a right to certain information about automated decisions we make about them and may also have a right to request human intervention and to challenge the decision. More details can be found in the ‘Rights of individuals’ section below.
6. Marketing and other contact
ScholarPack has two key reasons for contacting you (we may contact you within the MIS, using online live chat, by telephone, SMS or email, by post or social media as described in this policy):
Firstly, to provide you with service messages. Examples of these messages may be requests to verify user credentials, to confirm your instructions, to inform you of renewal options, to communicate security, product and policy updates, to assist you with technical support or in relation to any correspondence we receive from you or any comment or complaint you make about ScholarPack products or services.
Secondly, ScholarPack may need to contact you for its marketing purposes. This may take the form of:
- Direct postal mailings where the mailing is in our legitimate interests of informing you about a product or service we think you will find useful and will help grow our business
- Email or SMS messages where this is legally permissible – for example where you are an existing user and our marketing is about similar products and services. We will always provide you with a way of opting out from hearing from us in the future
- To invite you to participate in surveys or research – these may either be for our own legitimate business intelligence and marketing purposes or they may be needed for sectoral research for our online content (participation is always voluntary)
- Offering you free trials or demos of new products or services for our legitimate interests of informing you about a product or service we think you will find useful and growing our business
- Offering you the opportunity to take part in competitions and promotions
- We do not track your online behaviour once you leave our Site. We may use information which we hold about you to show you relevant advertising on popular third-party sites (e.g. LinkedIn, Facebook, Google, Instagram, Snapchat and Twitter). This could involve showing our members an advertising message on a third party site. We do this by matching data with social media sites who create audiences for our advertising campaigns. If you don’t want to be shown targeted advertising messages from ScholarPack, some third party sites allow you to request not to see messages from specific advertisers on that site in future. You can also contact us to request this at email@example.com
- Offering you an extension to your subscription
You may opt out of receiving marketing by amending your preferences. You can do this by clicking the link on any marketing emails we may send you.
We may use analytics and business intelligence tools for the legitimate business interests of supporting our marketing function. This means:
- We use third party analytics providers (like Google Analytics) to analyse your use of our MIS and other systems and what products may be of interest to you
- We may analyse what social media sites you engage with and how you interact with them as well as analysing the content of your social media professional profiles and when we are in a social media group together we may use the content of the group for the legitimate interests of our business intelligence and to understand our customers’ needs
We may use information provided by these sites to enrich your profile – i.e. to understand better which product or service may be of interest to you as long as it is necessary and not excessive. We do not use automated decision making in relation to this activity that has a legal or significant effect on you and we always diligence the providers for compliance with data protection laws. Please read the privacy policies of all social media sites you engage with for details of how they may share this information with us by creating customised audiences for example. We may advertise to you as a result of this information (see above) but we never track the third party sites you visit after visiting our site.
- We may use third parties to send you marketing, news briefings or renewal reminders. We only ever choose third parties that meet our security requirements and comply with data protection laws. ScholarPack requires these third parties to comply strictly with its instructions and ScholarPack requires that they do not use your personal information for their own business purposes
- We may use third party sources to match our data with theirs or to help cleanse our data if you have consented to this.
- Some emails that we send you have no tracking in at all e.g. support or service emails. Other emails we send include tracking so that we can tell how much traffic those emails send to our site. In some emails we can track, at an individual level, whether the user has opened and clicked on links in the email.
7. Will ScholarPack share my personal information with anyone else?
Within our group
There are times when we may share your information with other companies in the Key Support group of companies from time to time (for further details: https://thekeysupport.com/about/ ). This will be relevant when some of our internal support services are shared across our group. It will also apply where we have your consent to give you access to online content forming part of a wider group product suite and to market group company products and services to you.
It is possible that we could sell our business to a third party, or re-organise our business or become insolvent. In that scenario, our database of customers may be shared with the buyer(s) and their advisers in order to facilitate your service.
With our service providers
Sometimes ScholarPack uses third parties to process your information on our behalf, for example to provide services such as service development, email deployment or cloud storage services or analysis of the technical data we use. We need these providers to provide us with their services for our legitimate interests of operating our business and our Site effectively. They fall into the following categories:
- Accounts and billing, payment and card providers (we do not view or store your card details in ScholarPack’s system. Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS))
- Sales fulfilment and customer support
- Messaging services
- Business intelligence analytics
- Site usage analytics
- Technical support
- Survey providers
- Marketing support
- Legal, accounting and finance support
- Cloud Infrastructure
When we use the services of others it will be required in order to fulfil our obligations under our User Terms or it will be in the legitimate interests of growing our business and improving your use of our products and services.
With third party list providers
We may purchase information from third parties about you when we have confirmed that you have been told about this and we have undertaken appropriate due diligence on compliance. We will always process your data in compliance with data protection laws.
Will other end users be able to see my data?
Your account profile sets out the relevant permissions to access your data. Certain permitted administrators will be able (and must be able) to view certain information relating to your profile.
Administrators at each school can view certain information relating to their school, such as a list of all the other permitted users at their school, including their first name, surname and role.
On occasion, or upon receiving a request, we will email the administrator and/or the individual (or body) who authorised or organised membership on behalf of your school, to inform them that a new user has registered with us. This is intended to help ensure that people who register are eligible to use the service.
You can also set your preferences for certain products to allow us to share your references, training records or testimonials with third parties.
Sharing aggregated or anonymised information
In line with the organisational and technical measures and techniques of anonymisation and/or pseudonymisation advocated by the data protection laws, we may share aggregated or anonymised information within and outside of ScholarPack - with members of our group and with partners. You will not be able to be identified from this information.
We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes. We may use all or any part of your information and combine it with other user’s information to produce anonymous statistical data which we may use internally or share with third parties. Such data will not identify you or any other user personally. For example, such data may show: live national averages, numbers of documents stored, contextual benchmarks for schools like you and predictions of relevant eventualities. These examples are illustrative only and are not intended to be an exhaustive list.
Disclosures required by law
We may also process your data where we have a legal duty to do so (this includes exchanging information with other companies and organisations for the purposes of fraud protection) or in connection with regulatory reporting, litigation or asserting or defending legal rights and interests.
8. Overseas Transfers of your data
ScholarPack’s group companies are currently all located within the UK and our internal servers are there also or within the EEA.
The only occasions when we may transfer your personal data outside of the EEA and the UK are:
- Transfers to third parties we contract to manage your data, such as using MailGun in relation to our email service.. We always ensure that such transfers meet the requirements of data protection laws and that (a) such information is protected by suitable and legally approved safeguards and (b) that we are comfortable with the recipient’s security arrangements. For further details, please contact firstname.lastname@example.org
- Transfers that are required by law
9. Offensive or inappropriate content on our Site
The User Terms shall govern the behaviour, standards and acceptable uses of our MIS and other services. If a User posts or uploads content which is disruptive or may reasonably be deemed to be offensive, inappropriate or objectionable or otherwise in breach of our User Terms, we may remove such content and may deny you access to the Site temporarily or permanently as we see fit.
Where we reasonably believe that you are or may be in breach of any applicable laws, in respect of hate-speech for example we may disclose your personal information to relevant third parties, including to law enforcement agencies or your mobile phone operator or other internet communications provider and relevant third parties such as your school and other agencies about the content and your behaviour. We shall only do so in circumstances where such disclosure is permitted under applicable laws, including data protection law.
10. How long will ScholarPack keep my information?
We will store the information linked to your account during the term of your subscription but we will keep this information under regular review to ensure we still need to use it.
We will disable your account if your account is terminated for any reason. We may then keep limited data about your account for a period in line with our data retention policy from time to time in force. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
Please note that regulatory requirements in the UK in relation to certain educational information may require us to retain such information for a period beyond our usual data retention policy. Please contact us if you would like further information on this issue.
11. How we protect your data
We have implemented reasonable and appropriate security measures to protect the data we hold about you on our servers including HTTPS and the industry standard for encryption and SSL technology. I In addition, we are UKAS ISO27001 accredited a copy of our certificate and Statement of Applicability can be requested by contacting email@example.com. We undertake periodic internal and external audits to maintain the standard.
No service can ever be completely secure, and we cannot guarantee that data breaches will never occur. So please keep your account details and your Device safe from unauthorised use or intervention at all times – and remember to log out or close down stale or inactive pages after use.
You should not allow others to access your account, for example by sharing your login details.
If you have any concerns that your ScholarPack account could have been compromised e.g. someone could have discovered your password, please get in touch straight away.
For security purposes only, in the future, we may require users to verify their credentials. We also reserve the right to contact the school in the event of any unusual or noteworthy login activity or patterns of usage. We won’t use this information for unexpected reasons.
We also do not recommend that you put email addresses, URLs, phone numbers, full names or addresses, holiday / home absence information, credit-card details or other identifying or sensitive information in any online messaging function now or in future.
12. Your rights
- You have a number of rights in relation to the information that we hold about you as a data controller which are summarised below. You can exercise your rights by contacting us at firstname.lastname@example.org. You may also wish to contact your school for information they hold as a data controller
- The right to be informed about our use of your data. This is met by this Policy
- The right to access information we hold about you and to obtain information about how we process it (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please note that we may ask you to specify what you wish to see in order to focus our search, and we may have to verify your identity/authority
- In some circumstances, the right to withdraw your consent to our processing of your information, which you can do at any time. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent
- In some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party
- The right to request that we rectify your information if it’s inaccurate or incomplete though we may need to verify the accuracy of the new data you provide to us. At any time you can review or request to change the information you submitted during registration by visiting the Your Profile section once logged in. You should update your information if it changes, and the school administration will verify your change
- In some circumstances, the right to request that we erase your information where there is no good reason for us continuing to process it. We may continue to retain your information if we’re entitled or required to retain it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- The right to object to, and to request that we restrict, our processing of your information in some circumstances for example where we are relying on our legitimate interests or using it for direct marketing. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we’re entitled to continue processing it and/or to refuse your request
- Individuals have a right to complain to the UK Information Commissioner’s Office by visiting www.ico.org.uk, or to the data protection regulator in the country where they live or work
First version in this format