eduFOCUS Global Data Privacy & Security Policy

eduFOCUS Limited incorporated and registered in England and Wales with company number 05987706 and whose registered office is at 1 Vicarage Lane, Stratford, London E15 4HF ("eduFOCUS")

Introduction

• This is eduFOCUS' Global Data Privacy and Security Policy. We will refer to it as this Policy. This Policy is applicable in respect of all the services we provide.
• In this Policy, we will refer to ourselves as we, our, or us.
• We will refer to you, the user of any of our services as you.
• Where we are talking about Evolve and/or My Evolve services, we will refer to our customer to whom we provide the services - being schools, colleges, educational trusts and Local Authorities - as our Customer(s).
• The requirement to collect and process personal data is central to the services that we provide, and we are committed to maintaining the security and confidentiality of the personal data and information that we collect or receive. The personal data that we collect or receive, whether about you or about other people, will be referred to as Customer Data in this Policy. 
• We will only process Customer Data in accordance with this Policy.
• We understand the importance of data privacy and security and we operate under the strict data security provisions we have set out in this Policy.
• There are 2 sections to this Policy:

Section 1: covers the personal data about you that either our Customer has provided to us or that you provide to us when accessing our services. This may include your name, your email address and other information about you.

Section 2: covers the personal data about other people that you may have access to when you access the services we provide through Evolve. This may include the personal data of pupils, guardians and teachers. Section 2 only applies to you if you are using Evolve.

Changes to our policy

Any changes we make to our Policy in the future will be posted on our websites. Please check back frequently to see any updates or changes to this Policy. If you wish, you may also print this Policy for future reference.

Contact

Questions, comments and requests regarding this Policy are welcomed and should be addressed to info@edufocus.co.uk.

Section 1: Data and information about you that we process and collect

Your Personal Data

• We will be the Data Controller in respect of your personal data that is collected though Kaddi.
• We will not be the Data Controller in respect of your personal data which is provided to us by our Customers. In this case, our Customer will be the Data Controller in respect of your personal data and we will be a Data Processor.
• By accessing the services we provide, we will collect and/or receive certain personal information about you. The information that we collect may vary depending on what service you are accessing. All Customer Data (including your personal data) will be collected and processed in accordance with this Policy.

Your personal data - what will we collect?

• When you access or log in to any of our services, we may collect certain personal information about you including your name and email address. We may also collect information about how you use the services and the times at which you access the services. Such information may include IP addresses (this is the number that can uniquely identify a specific computer or other network device on the internet) and details of the browser you have used (such as Google Chrome, Mozilla Firefox and Internet Explorer). We will collect this in such a way that it will be statistical data about your browsing patterns and actions, and does not identify you.
• If you contact us in relation to the services, or if we need to contact you, we may retain a record of any communications between us.
• We may also collect details of when and where you have accessed our services including any location data. If you use our services on a mobile device this will include your geolocation information. If you do not wish us to collect this information please change the settings on your mobile device.
• Where our Customer has engaged us to supply more than one of our services we will share any personal data provided in respect of one of the services internally to ensure that we are providing a comprehensive service to our Customer.

How do we use your personal data?

• We will use your personal data for a number of purposes including:
• To provide our services to you and/or our Customers (as applicable).  Our Customer should have explained the services to you, which may have included an explanation of the information that we might need to collect about you;
• For the administration of our services, including issues that you may have accessing our services;
• To enable us to provide you with access to all of the services that we are providing to our Customer, subject to any relevant permission or access settings set by our Customer.  It will also enable us to provide you with specific information about changes or improvements to our services;
• To analyse and improve the services that we offer to our Customer and to personalise the services as much as possible so that we can try to ensure that you are able to make use of the full functionality of the relevant service; and
• We may use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes as well as to provide such aggregated information to third parties.

How will we store your personal information?

• We store all of the Customer Data (including your personal data) on servers which are located in the United Kingdom. These servers are protected by passwords and firewalls.
• Unfortunately, the transmission of information via the internet is not completely secure.  Although we will do our best to protect the Customer Data (including your personal data), we cannot guarantee the security of such data transmitted to us over such a public network, and any transmission is at your own risk. 

Cookies

• We use “session” cookies on our services.  We will use the session cookies to keep track of you whilst you navigate through the services. Session cookies will be deleted from your computer when you end your session (for example you close your browser).
• Most browsers allow you to reject all cookies, whilst some browsers allow you to reject just third party cookies. For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector. Blocking all cookies will, however, have a negative impact upon the usability of many websites (including our services).
• For more information on the cookies we use please refer to our cookies policy.

Access to information

• The General Data Protection Regulation (GDPR) gives you the right to access information held about you. Your right of access can be exercised in accordance with the GDPR.
• If you wish to access or would like more information about the information we hold about you please contact us. Our contact details are set out above.

Section 2: Data and information about other people that you may have access to

This Section 2 only applies to users of Evolve.

Customer Data that we hold

• Our Customer will provide us with Customer Data. This may be from our Customer's own databases and management information systems. This will also include data and information provided by users of our Services on behalf of our Customers (for example teachers, visit organisers and you).
• The only Customer Data that we will have access to when providing this service to you is the Customer Data that has been provided to us by our Customers (or other users of our services on behalf of our Customers).

Customer Data that you provide to us

• You need to ensure that prior to providing any Customer Data to us (including entering details in the forms and fields provided within the services) you have the necessary rights and permissions to do this.
• You need to consider our Customers' obligations and your obligations under the Data Protection Act 1998, any laws or regulations implementing Directive 95/46/EC (Data Protection Directive), and/or the General Data Protection Regulation (EU) 2016/679 (the GDPR) and/or any corresponding or equivalent national laws or regulations8 as well as other laws and regulations such as relating to information sharing, consent, and safeguarding requirements. You also need to consider any relevant policies, guidance and procedures that our Customer has in place.
• If you have any doubt as to whether you have the necessary rights and permission to provide us with any Customer Data you should not provide it and should speak to the individual who manages this service on behalf of our Customer. Alternatively, please speak to your line manager or supervisor.

What Customer Data might you have access to?

• The Customer Data which you may have access to could include the names, addresses, telephone numbers and dates of birth of both pupils and their parents and guardians. 
• In addition to this you may also have access to "sensitive personal data" (as defined in the GDPR) including information relating to religious beliefs,  special educational needs, confidential safeguarding information and health records.
• It is therefore very important when accessing information that you are aware of your data security, privacy, and confidentiality responsibilities in accordance with our Customer's policies and procedures.

Responsibilities when accessing the Services

• In order to access the services we provide, our Customer has provided you with the necessary log in details.
• You must ensure that your access of the services is in accordance with appropriate permissions and access controls, to ensure there is no unauthorised access to data and information, and any authorised access does not breach any procedures, policies, guidelines, regulations or laws that may apply to our Customer and/or Customer Data, including those relating to data protection, educational visits, safeguarding, information sharing and consent, acceptable use of ICT, and health and safety.
• Before supplying you with the necessary permissions and log in details required to access our services, our Customer should have provided you with all necessary training as may be relevant to the level of data access.  If you have not received appropriate training, or if you believe you have access to Customer Data that you should not have access to, then you must not access these services and you must contact our Customer immediately.
• You should only be accessing these services where it is necessary for you perform your roles and responsibilities in respect of our Customer. Our Customer should have only provided administrator access to those individuals responsible for managing access to our services.  If you have not been designated as an administrator by our Customer but find that you have administrator access to the services you must stop using the services and inform our Customer of this immediately.
• When accessing these services as an administrator you must be aware that you will have the ability to give users access to sensitive personal data.  Accordingly you must ensure that you only grant access to those users who are sufficiently trained (in accordance with our Customer's procedures, polices, guidelines, and applicable laws as noted above) and who require access to these services to perform their roles and responsibilities in respect of our Customer.
• You need to be aware of your surroundings when you are accessing our services.  You may have access to information which if, lost, disclosed or stolen could cause significant financial and reputational damage to our Customer.  Care must be taken to ensure that PCs, terminals or any other electronic devices on which Customer Data is accessed are not visible to unauthorised persons, especially in public places. Screens on which Customer Data is displayed should not be left unattended.
• If you gain access to any information that you are not authorised to see you must notify the relevant member of our Customer's staff immediately.

Sharing Customer Data

• It is important that you do not share any Customer Data with any third parties otherwise than in accordance with our Customer's procedures, polices, guidelines or laws and the associated training that you have received from our Customer.
• As mentioned above our Customer was required to obtain the necessary permissions before transferring any Customer Data to us. Such permissions will have included consent from the relevant parents or guardians to be contacted by SMS and/or email for specified purposes.  You need to ensure that you only contact those parents or guardians by SMS or email who have consented to receiving such communications.
• The only time that any information will be shared by us outside of our services is where our Customer has asked us to configure the service so that it shares certain data with specified third party programs including calendars.