What is GDPR?
GDPR is the ‘General Data Protection Regulation’ – a European-wide law with some deliberate gaps which are plugged by the UK Data Protection Act 2018. It’s very complicated, but in basic terms, it is a strengthening of individuals’ rights in terms of what can be done by whom to their personal data. After Brexit, the GDPR will be replaced by the UK GDPR, a UK version of the GDPR.
Do I have to do anything about it?
If you’re a parent, you don’t really need to worry as the GDPR doesn’t cover purely personal or household use of data. If you’re a school or an institution that holds personal data in any form, absolutely. You need to take steps to ensure the data you hold on people is secure and minimised, and that the person in question is aware of what data you have on them for what purpose. You also need to ensure that any organisations you use to process (that is to say, interact with in any way) that data is up to scratch. Like us!
So, what are you allowed and not allowed to do in principle?
There are lots of requirements. A key one is that you need to tell people exactly what’s going to happen to their data and make sure you have consent or another legal basis for using it. If the data is sensitive, you need a second legal basis on top of the first one.
So if a school wants to use S-cool.co.uk, S-cool.co.uk needs to ask every student for consent?
No. We don’t control the data, we process it on your behalf. If you use S-cool.co.uk, it is your responsibility to identify which legal basis you will rely on, whether that’s consent or another legal basis from GDPR. We can’t advise you on that.
Is there a document that lays out what you do with data in full?
Yes! It’s called a data sharing agreement or a DSA, and you get one as part of the setup process. This FAQ is intended only as a primer before you read the more in depth version. You can request a copy from the data controller.
How and where is our data stored and what security used to ensure its safety
Your data is stored in an Amazon Web Services (AWS) datacentre in Dublin, Ireland. Here’s a link to the AWS white paper on security: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Here are some of our general security measures:
- access to administrative functions is restricted to authorised individuals in the office and operatives in specific remote locations through the firewall
- database access restricted to internal servers only with a proxy for remote management
- web traffic is transferred over HTTPS
- passwords are stored using one-way encryption
- Servers are kept up to date with the latest security fixes
How long is personal data kept?
At the end of your subscription, we can destroy or return the data as you choose. The data sharing agreement says that if you don’t make that choice, your instructions are that we are to destroy the data after 24 months.
How is the data destroyed when no longer needed?
All personal data is anonymised so that it’s completely impossible to tie an individual to any remaining data (like number of pages requested). This renders it inert for GDPR’s purposes.
What else do I need to know about you?
S-cool.co.uk is operated by Soundbite Learning Limited, a company registered in England & Wales, whose company number is 06657980.
You can write to us at our UK office, which is:
Newcastle Enterprise Centres,
6 Charlotte Square, Newcastle upon Tyne NE1 4XF
ICO registration number: Z1442893
Privacy and Cookie notice
This notice applies to personal information of which we’re a “controller” including:
- personal information of individuals who’ve bought a subscription to S-cool.co.uk, and
- the contact points we have at our corporate customers such as schools.
The notice doesn’t apply to our corporate customers’ use of personal information or to our use of that personal information on the customer’s behalf, for which we’re a “processor”. Please see the next section for that.
How we process our customers’ data under GDPR
Full details on how we process data on schools’ behalf can be found in our data sharing agreement, but here are some technical details:
- All student data is held within the EU (see 6.3.1 of the data sharing agreements)
- You retain full control over what bits of data we can access
- All data in transit is encrypted using SSL/TLS
- Data at rest is encrypted with AES
- All personal data is returned or destroyed (your choice) at the end of your subscription – if you don’t make a choice, your instructions are that we destroy it after 24 months
If you have any other questions that aren't covered by this page, please write to the data controller by emailing [email protected]