Our website address is: https://www.gcsepod.com
That notice applies to personal information of which we’re a “controller” including:
The notice doesn’t apply to our corporate customers’ use of personal information or to our use of that personal information on the customer’s behalf, for which we’re a “processor”. Please see the next section for that.
Full details on how we process data on schools’ behalf can be found in our data sharing agreement (see downloads section), but here are some technical details:
Additionally, we are a CyberEssentials certified provider.
GDPR is the ‘General Data Protection Regulation’ – a European-wide law with some deliberate gaps which are plugged by the UK Data Protection Act 2018. It’s very complicated, but in basic terms, it is a strengthening of individuals’ rights in terms of what can be done by whom to their personal data. After Brexit, the GDPR will be replaced by the UK GDPR, a UK version of the GDPR.
Do I have to do anything about it?
If you’re a parent, you don’t really need to worry as the GDPR doesn’t cover purely personal or household use of data. If you’re a school or an institution that holds personal data in any form, absolutely. You need to take steps to ensure the data you hold on people is secure and minimised, and that the person in question is aware of what data you have on them for what purpose. You also need to ensure that any organisations you use to process (that is to say, interact with in any way) that data is up to scratch. Like us!
So, what are you allowed and not allowed to do in principle?
There are lots of requirements. A key one is that you need to tell people exactly what’s going to happen to their data and make sure you have consent or another legal basis for using it. If the data is sensitive, you need a second legal basis on top of the first one.
So if a school wants to use GCSEPod, GCSEPod needs to ask every student for consent?
No. We don’t control the data, we process it on your behalf. If you use GCSEPod, it is your responsibility to identify which legal basis you will rely on, whether that’s consent or another legal basis from GDPR. We can’t advise you on that.
Is there a document that lays out what you do with data in full?
Yes! It’s called a data sharing agreement or a DSA, and you get one as part of the setup process. This FAQ is intended only as a primer before you read the more in depth version. You can download a copy from this page.
How and where is our data stored and what security used to ensure its safety
Your data is stored in an Amazon Web Services (AWS) datacentre in Dublin, Ireland. Here’s a link to the AWS white paper on security: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Here’s some of our general security measures:
How long is personal data kept?
At the end of your subscription, we can destroy or return the data as you choose. The data sharing agreement says that if you don’t make that choice, your instructions are that we are to destroy the data after 6 months.
How is the data destroyed when no longer needed?
All personal data is anonymised so that it’s completely impossible to tie an individual to any remaining data (like number of Pods watched). This renders it inert for GDPR’s purposes.
How do schools access the relevant data sharing agreements
Your data integration service (Wonde/XoD) displays the data sharing agreement during the setup process. Or you can download it from this page.
What data does GCSEPod need from Wonde and XoD?
GCSEPod needs user data: some of it mandatory (e.g. to set up user accounts) and other data optional depending on what schools want to measure: it may be useful for the school for marking and reporting on usage but not necessary. The data sharing agreement has a list of data and how it’s used in GCSEPod.
What else do I need to know about you?
Office Address: UK Office:
Newcastle Enterprise Centres,
6 Charlotte Square, Newcastle upon Tyne NE1 4XF
ICO registration number: Z1442893