Parent consent letters – please click on the images below to download
GDPR is the ‘General Data Protection Regulation’ – a regulation created by the EU that will be passed into UK law separately. It’s very complicated, but in basic terms, it is a strengthening of individuals’ rights in terms of what can be done by whom to their personal data.
Do I have to do anything about it? If you’re a parent, you don’t really need to worry about what you do. If you’re a school or an institution that holds personal data in any form, absolutely. You need to take steps to ensure the data you hold on people is secure and reasonable, and that the person in question is aware of what data you have on them for what purpose. You also need to ensure that any organisations you use to process (that is to say, interact with in any way) that data is up to scratch. Like us!
When’s it happening? Technically, it’s already happening. Legally, it’s enforceable from the 25th May – many organisations are working right now to ensure they’re up to scratch before then, however.
So, what are you allowed and not allowed to do in principle? Any personal data an organisation has is regulated – if you’re going to have the data, you need their explicit consent for it, and you need to tell them exactly what’s going to happen to it. You cannot do anything outside of what you said you were going to do – it’s all about consent.
So if a school wants to use GCSEPod, GCSEPod needs to ask every student for consent? No. We don’t control the data, we process it on your behalf. If you use GCSEPod, it is your responsibility to gather the consent of any data you pass to us for processing. We’ll ask if you’ve gathered that consent, and only process the data if you confirm you have. Individuals must have the right to opt out.
Is there a document that lays out what you do with data in full? Yes! It’s called a Data Sharing Agreement or a DSA, and you get one as part of the setup process. This FAQ is intended only as a primer before you read the more in depth version.
How and where is our data stored and what security used to ensure its safety Dublin, Ireland. GDPR requires we keep it within the EU. Here’s some of our general security measures:
access to administrative functions is restricted to authorised individuals in the office and operatives in specific remote locations through the firewall
database access restricted to internal servers only with a proxy for remote management
web traffic is transferred over HTTPS
passwords are stored using one-way encryption
Servers are kept up to date with the latest security fixes
How long is personal data kept? At the end of your subscription, we can destroy or return the data at any time of your choosing. As standard, we anonymise data of all personal information after 3 months. This is to allow for any ongoing renewal discussions – we don’t want to delete data that’s going to be used again very soon!
How is the data destroyed when no longer needed? All personal data is anonymised so that it’s completely impossible to tie an individual to any remaining data (like number of Pods watched). This renders it inert for GDPR’s purposes.
How do schools access the relevant data sharing agreements Your data integration service (Wonde/XoD) displays the data sharing agreement during the setup process.
What data do we take (wonde and XOD) We only take the data required for GCSEPod to run, mostly centred around identifying who is permitted to use which account. The full list of data we take is displayed on the data sharing agreement, which also outlines what we do with it.