Last Edited: June 2023
At eSchools we take privacy very seriously. We have prepared this Privacy Notice to ensure that we communicate to you, in the clearest way possible, how we treat your personal information. We encourage you to read this Privacy Notice carefully as it sets out how we will treat your personal information across our services.
- 6.1. We share (or may share) your personal data with:
Our personnel: our employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
Our supply chain: other organisations that help us provide our goods. We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
- 6.2. If we were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response
- 6.3. We may also disclose your personal information to the school in question in the case of improper use on the platform by individuals.
- 6.4. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under the Data Protection Legislation.
- 7.1. We store your personal data on our servers in the EEA.
- 7.2. Whenever we transfer your personal data outside of the UK, we ensure a similar
degree of protection is afforded to it by ensuring at least one of the following
safeguards is implemented:
(a) the Personal Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) we participate in a valid cross-border transfer mechanism under Data Protection Legislation, so that we (and, where appropriate, the school) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required under the UK GDPR; or
(c) the transfer otherwise complies with Data Protection Legislation.
- 7.3. If you access our Website or purchase our services whilst abroad then your personal data may be stored on servers located in the same country as you or your organisation. Personal information that an individual adds to our websites may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
- 8.1. We have implemented security measures to prevent your personal data from
being accidentally or illegally lost, used or accessed by those who do not have
permission. These measures include:
- access controls and user authentication (including multi-factor authentication);
- regular testing and review of our security measures;
- staff policies and training;
- incident and breach reporting processes;
- business continuity and disaster recovery processes.
- 8.2. If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law). Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.
- 8.3. We will store all the personal information you provide on our secure (password- and firewall-protected) servers. The web service we employ has a broad range of accreditations and certifications and the data centres used ensure the data stays within the EEA.
- 8.4. eSchools use a Secure Sockets Layer (SSL) which creates a secure connection and uses two keys to encrypt data in transit (schools can also purchase an SSL for any masking domain). Despite this, you acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data.
- 8.5. If you notice any unusual activity on the Website, please contact us email@example.com
- 9.1. This section sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal information. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
- 9.2. To decide how long to keep personal data (also known as its retention period), we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for HM Revenue & Customs).
- 9.3. If you browse our Website, we keep personal data collected through our analytics tools for only as long as necessary to fulfil the purposes we collected it for.
- 9.4. If you have asked for information from us or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you
- 9.5. Notwithstanding the other provisions of this Section 9 we will retain documents
(including electronic documents) containing personal data:
- To the extent that we are required to do so by law;
- If we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and
- In order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).
- 10.1. You have specific legal rights in relation to your personal data.
- 10.2. We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. Usually there is no cost for exercising your data protection rights, but we may charge a fee where we decide to proceed with a request that we believe is unfounded, repetitive or excessive. If this happens we will always inform you in writing.
- 10.3. We will respond to your legal rights request without undue delay, but within one month of us receiving your request or confirming your identity (whichever is later). We may extend this deadline by two months if your request is complex or we have received multiple requests at once. If we need to extend the deadline, we will let you know and explain why we need the extension.
- 10.4. We do not respond directly to requests which relate to personal data for which we act as the processor. In this situation, we forward your request to the relevant controller and await their instruction before we take any action.
- 10.5. If you wish to make any of the right requests listed below, you can reach us at firstname.lastname@example.org
- 10.6. Your rights include:
- Access: You must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law.
- Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
- Deletion: You can ask us to delete or remove your personal data if there is no good reason for us to continue holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
- Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it.
- Objection: You can object to us using your personal data if you want us to stop using it. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.
- Portability: You can ask us to send you or another organisation an electronic copy of your personal data.
- Complaints: If you are unhappy with the way we collect and use your personal data, you can complain to the ICO or another relevant supervisory body, but we hope that we can respond to your concerns before it reaches that stage. Please contact us at email@example.com.