That notice applies to personal information of which we’re a “controller” including:
personal information of individuals who’ve bought a subscription to GCSEPod, and
the contact points we have at our corporate customers such as schools.
The notice doesn’t apply to our corporate customers’ use of personal information or to our use of that personal information on the customer’s behalf, for which we’re a “processor”. Please see the next section for that.
How we process our customers’ data under GDPR
Full details on how we process data on schools’ behalf can be found in our data sharing agreement (see downloads section), but here are some technical details:
All student data is held within the EU (see 6.3.1 of the data sharing agreements)
You retain full control over what bits of data we can access
All data in transit is encrypted using SSL/TLS
Data at rest is encrypted with AES
All personal data is returned or destroyed (your choice) at the end of your license – if you don’t make a choice, your instructions are that we destroy it after 6 months (see 6.3.7 of the data sharing agreements).
Additionally, we are a CyberEssentials certified provider.
Parent consent letters – please click on the images below to download
GDPR is the ‘General Data Protection Regulation’ – a European-wide law with some deliberate gaps which are plugged by the UK Data Protection Act 2018. It’s very complicated, but in basic terms, it is a strengthening of individuals’ rights in terms of what can be done by whom to their personal data. After Brexit, the GDPR will be replaced by the UK GDPR, a UK version of the GDPR.
Do I have to do anything about it? If you’re a parent, you don’t really need to worry as the GDPR doesn’t cover purely personal or household use of data. If you’re a school or an institution that holds personal data in any form, absolutely. You need to take steps to ensure the data you hold on people is secure and minimised, and that the person in question is aware of what data you have on them for what purpose. You also need to ensure that any organisations you use to process (that is to say, interact with in any way) that data is up to scratch. Like us!
So, what are you allowed and not allowed to do in principle? There are lots of requirements. A key one is that you need to tell people exactly what’s going to happen to their data and make sure you have consent or another legal basis for using it. If the data is sensitive, you need a second legal basis on top of the first one.
So if a school wants to use GCSEPod, GCSEPod needs to ask every student for consent? No. We don’t control the data, we process it on your behalf. If you use GCSEPod, it is your responsibility to identify which legal basis you will rely on, whether that’s consent or another legal basis from GDPR. We can’t advise you on that.
Is there a document that lays out what you do with data in full? Yes! It’s called a data sharing agreement or a DSA, and you get one as part of the setup process. This FAQ is intended only as a primer before you read the more in depth version. You can download a copy from this page.
access to administrative functions is restricted to authorised individuals in the office and operatives in specific remote locations through the firewall
database access restricted to internal servers only with a proxy for remote management
web traffic is transferred over HTTPS
passwords are stored using one-way encryption
Servers are kept up to date with the latest security fixes
How long is personal data kept? At the end of your subscription, we can destroy or return the data as you choose. The data sharing agreement says that if you don’t make that choice, your instructions are that we are to destroy the data after 6 months.
How is the data destroyed when no longer needed? All personal data is anonymised so that it’s completely impossible to tie an individual to any remaining data (like number of Pods watched). This renders it inert for GDPR’s purposes.
How do schools access the relevant data sharing agreements Your data integration service (Wonde/XoD) displays the data sharing agreement during the setup process. Or you can download it from this page.
What data does GCSEPod need from Wonde and XoD? GCSEPod needs user data: some of it mandatory (e.g. to set up user accounts) and other data optional depending on what schools want to measure: it may be useful for the school for marking and reporting on usage but not necessary. The data sharing agreement has a list of data and how it’s used in GCSEPod.
What else do I need to know about you?
Office Address: UK Office: Newcastle Enterprise Centres, 6 Charlotte Square, Newcastle upon Tyne NE1 4XF